Install Now
SCAP-Security-Guide - Delivers security guidance, baselines, and associated validation mechanisms
Contents
Description
The project provides practical security hardening advice and also links it to compliance requirements in
order to ease deployment activities, such as certification and accreditation. These include requirements
in the U.S. government (Federal, Defense, and Intelligence Community) as well as of the financial
services and health care industries. For example, high-level and widely-accepted policies such as NIST
800-53 provides prose stating that System Administrators must audit "privileged user actions," but do not
define what "privileged actions" are. The SSG bridges the gap between generalized policy requirements and
specific implementation guidance, in SCAP formats to support automation whenever possible.
The projects homepage is located at: https://www.open-scap.org/security-policies/scap-security-guide
Examples
To scan your system utilizing the OpenSCAP utility against the ospp profile:
oscap xccdf eval --profile ospp --results-arf /tmp/`hostname`-ssg-results.xml --report
/tmp/`hostname`-ssg-results.html /usr/share/xml/scap/ssg/content/ssg-{product}-xccdf.xml
Additional details can be found on the following websites:
https://www.github.com/ComplianceAsCode/content
The project's Github page.
https://complianceascode.readthedocs.io
The project's ReadTheDocs page.
https://app.gitter.im/#/room/#Compliance-As-Code-The_content:gitter.im
The project's Gitter IM space
Files
/usr/share/xml/scap/ssg/content
Houses SCAP content utilizing the following naming conventions:
SCAPSourcedatastreams: ssg-{product}-ds.xml
/usr/share/scap-security-guide/ansible/
Contains Ansible Playbooks for SSG profiles.
/usr/share/scap-security-guide/kickstart/
Contains example kickstarts that install systems hardened against a particular profile.
/usr/share/scap-security-guide/tailoring/
Contains tailoring files that enable rules that are not covered by third-party SCAP content and
disables rules that are covered by the content shipped in scap-security-guide.
Name
SCAP-Security-Guide - Delivers security guidance, baselines, and associated validation mechanisms
utilizing the Security Content Automation Protocol (SCAP).
Profiles In Guide To The Secure Configuration Of Alibaba Cloud Linux 2
Source data stream: ssg-alinux2-ds.xml
The Guide to the Secure Configuration of Alibaba Cloud Linux 2 is broken into 'profiles', groupings of
security settings that correlate to a known policy. Available profiles are:
PCI-DSSv4.0ControlBaselineforAlibabaCloudLinux2
Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
Payment Card Industry - Data Security Standard (PCI-DSS) is a set of security standards designed
to ensure the secure handling of payment card data, with the goal of preventing data breaches and
protecting sensitive financial information.
StandardSystemSecurityProfileforAlibabaCloudLinux2
Profile ID: xccdf_org.ssgproject.content_profile_standard
This profile contains rules to ensure standard security baseline of a Alibaba Cloud Linux 2
system. Regardless of your system's workload all of these checks should pass.
Profiles In Guide To The Secure Configuration Of Alibaba Cloud Linux 3
Source data stream: ssg-alinux3-ds.xml
The Guide to the Secure Configuration of Alibaba Cloud Linux 3 is broken into 'profiles', groupings of
security settings that correlate to a known policy. Available profiles are:
PCI-DSSv4.0ControlBaselineforAlibabaCloudLinux3
Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
Payment Card Industry - Data Security Standard (PCI-DSS) is a set of security standards designed
to ensure the secure handling of payment card data, with the goal of preventing data breaches and
protecting sensitive financial information.
StandardSystemSecurityProfileforAlibabaCloudLinux3
Profile ID: xccdf_org.ssgproject.content_profile_standard
This profile contains rules to ensure standard security baseline of a Alibaba Cloud Linux 3
system. Regardless of your system's workload all of these checks should pass.
Profiles In Guide To The Secure Configuration Of Almalinux Os 9
Source data stream: ssg-almalinux9-ds.xml
The Guide to the Secure Configuration of AlmaLinux OS 9 is broken into 'profiles', groupings of security
settings that correlate to a known policy. Available profiles are:
CISAlmaLinuxOS9BenchmarkforLevel2-Server
Profile ID: xccdf_org.ssgproject.content_profile_cis
This profile defines a baseline that aligns to the "Level 2 - Server" configuration from the
Center for Internet Security® AlmaLinux OS 9 Benchmark™, v2.0.0, released 2024-06-20.
This profile includes Center for Internet Security® AlmaLinux OS 9 CIS Benchmarks™ content.
CISAlmaLinuxOS9BenchmarkforLevel1-Server
Profile ID: xccdf_org.ssgproject.content_profile_cis_server_l1
This profile defines a baseline that aligns to the "Level 1 - Server" configuration from the
Center for Internet Security® AlmaLinux OS 9 Benchmark™, v2.0.0, released 2024-06-20.
This profile includes Center for Internet Security® AlmaLinux OS 9 CIS Benchmarks™ content.
CISAlmaLinuxOS9BenchmarkforLevel1-Workstation
Profile ID: xccdf_org.ssgproject.content_profile_cis_workstation_l1
This profile defines a baseline that aligns to the "Level 1 - Workstation" configuration from the
Center for Internet Security® AlmaLinux OS 9 Benchmark™, v2.0.0, released 2024-06-20.
This profile includes Center for Internet Security® AlmaLinux OS 9 CIS Benchmarks™ content.
CISAlmaLinuxOS9BenchmarkforLevel2-Workstation
Profile ID: xccdf_org.ssgproject.content_profile_cis_workstation_l2
This profile defines a baseline that aligns to the "Level 2 - Workstation" configuration from the
Center for Internet Security® AlmaLinux OS 9 Linux 9 Benchmark™, v2.0.0, released 2024-06-20.
This profile includes Center for Internet Security® AlmaLinux OS 9 CIS Benchmarks™ content.
HealthInsurancePortabilityandAccountabilityAct(HIPAA)
Profile ID: xccdf_org.ssgproject.content_profile_hipaa
The HIPAA Security Rule establishes U.S. national standards to protect individuals’ electronic
personal health information that is created, received, used, or maintained by a covered entity.
The Security Rule requires appropriate administrative, physical and technical safeguards to ensure
the confidentiality, integrity, and security of electronic protected health information.
This profile configures AlmaLinux OS 9 to the HIPAA Security Rule identified for securing of
electronic protected health information. Use of this profile in no way guarantees or makes claims
against legal compliance against the HIPAA Security Rule(s).
PCI-DSSv4.0.1ControlBaselineforAlmaLinuxOS9
Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
Payment Card Industry - Data Security Standard (PCI-DSS) is a set of security standards designed
to ensure the secure handling of payment card data, with the goal of preventing data breaches and
protecting sensitive financial information.
This profile ensures AlmaLinux OS 9 is configured in alignment with PCI-DSS v4.0.1 requirements.
Profiles In Guide To The Secure Configuration Of Amazon Elastic Kubernetes Service
Source data stream: ssg-eks-ds.xml
The Guide to the Secure Configuration of Amazon Elastic Kubernetes Service is broken into 'profiles',
groupings of security settings that correlate to a known policy. Available profiles are:
CISAmazonElasticKubernetesService(EKS)Benchmark-Node
Profile ID: xccdf_org.ssgproject.content_profile_cis-node
This profile defines a baseline that aligns to the Center for Internet Security® Amazon Elastic
Kubernetes Service (EKS) Benchmark™, V1.0.1.
This profile includes Center for Internet Security® Amazon Elastic Kubernetes Service (EKS)™
content.
This profile is applicable to EKS 1.21 and greater.
CISAmazonElasticKubernetesServiceBenchmark-Platform
Profile ID: xccdf_org.ssgproject.content_profile_cis
This profile defines a baseline that aligns to the Center for Internet Security® Amazon Elastic
Kubernetes Service (EKS) Benchmark™, V1.0.1.
This profile includes Center for Internet Security® Amazon Elastic Kubernetes Service (EKS)™
content.
This profile is applicable to EKS 1.21 and greater.
Profiles In Guide To The Secure Configuration Of Amazon Linux 2023
Source data stream: ssg-al2023-ds.xml
The Guide to the Secure Configuration of Amazon Linux 2023 is broken into 'profiles', groupings of
security settings that correlate to a known policy. Available profiles are:
CISAmazonLinux2023BenchmarkforLevel2-Server
Profile ID: xccdf_org.ssgproject.content_profile_cis
This profile defines a baseline that aligns to the "Level 2 - Server" configuration from the
Center for Internet Security® Amazon Linux 2023 Benchmark™, v1.0.0, released 2023-06-26.
This profile includes Center for Internet Security® Amazon Linux 2023 CIS Benchmarks™ content.
CISAmazonLinux2023BenchmarkforLevel1-Server
Profile ID: xccdf_org.ssgproject.content_profile_cis_server_l1
This profile defines a baseline that aligns to the "Level 1 - Server" configuration from the
Center for Internet Security® Amazon Linux 2023 Benchmark™, v1.0.0, released 2023-06-26.
This profile includes Center for Internet Security® Amazon Linux 2023 CIS Benchmarks™ content.
Profiles In Guide To The Secure Configuration Of Anolis Os 23
Source data stream: ssg-anolis23-ds.xml
The Guide to the Secure Configuration of Anolis OS 23 is broken into 'profiles', groupings of security
settings that correlate to a known policy. Available profiles are:
PCI-DSSv4.0ControlBaselineforAnolisOS23
Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
Payment Card Industry - Data Security Standard (PCI-DSS) is a set of security standards designed
to ensure the secure handling of payment card data, with the goal of preventing data breaches and
protecting sensitive financial information.
StandardSystemSecurityProfileforAnolisOS23
Profile ID: xccdf_org.ssgproject.content_profile_standard
This profile contains rules to ensure standard security baseline of a Anolis OS 23 system.
Profiles In Guide To The Secure Configuration Of Anolis Os 8
Source data stream: ssg-anolis8-ds.xml
The Guide to the Secure Configuration of Anolis OS 8 is broken into 'profiles', groupings of security
settings that correlate to a known policy. Available profiles are:
PCI-DSSv4.0ControlBaselineforAnolisOS8
Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
Payment Card Industry - Data Security Standard (PCI-DSS) is a set of security standards designed
to ensure the secure handling of payment card data, with the goal of preventing data breaches and
protecting sensitive financial information.
StandardSystemSecurityProfileforAnolisOS8
Profile ID: xccdf_org.ssgproject.content_profile_standard
This profile contains rules to ensure standard security baseline of a Anolis OS 8 system.
Profiles In Guide To The Secure Configuration Of Apple Macos 10.15
Source data stream: ssg-macos1015-ds.xml
The Guide to the Secure Configuration of Apple macOS 10.15 is broken into 'profiles', groupings of
security settings that correlate to a known policy. Available profiles are:
NIST800-53Moderate-ImpactBaselineforApplemacOS10.15Catalina
Profile ID: xccdf_org.ssgproject.content_profile_moderate
This compliance profile reflects the core set of Moderate-Impact Baseline configuration settings
for deployment of Apple macOS 10.15 Catalina into U.S. Defense, Intelligence, and Civilian
agencies. Development partners and sponsors include the U.S. National Institute of Standards and
Technology (NIST), U.S. Department of Defense, and the the National Security Agency.
This baseline implements configuration requirements from the following sources:
- NIST 800-53 control selections for Moderate-Impact systems (NIST 800-53)
For any differing configuration requirements, e.g. password lengths, the stricter security setting
was chosen. Security Requirement Traceability Guides (RTMs) and sample System Security
Configuration Guides are provided via the scap-security-guide-docs package.
This profile reflects U.S. Government consensus content and is developed through the
ComplianceAsCode initiative, championed by the National Security Agency. Except for differences in
formatting to accommodate publishing processes, this profile mirrors ComplianceAsCode content as
minor divergences, such as bugfixes, work through the consensus and release processes.
Profiles In Guide To The Secure Configuration Of Chromium
Source data stream: ssg-chromium-ds.xml
The Guide to the Secure Configuration of Chromium is broken into 'profiles', groupings of security
settings that correlate to a known policy. Available profiles are:
UpstreamSTIGforGoogleChromium
Profile ID: xccdf_org.ssgproject.content_profile_stig
This profile is developed under the DoD consensus model and DISA FSO Vendor STIG process, serving
as the upstream development environment for the Google Chromium STIG.
As a result of the upstream/downstream relationship between the SCAP Security Guide project and
the official DISA FSO STIG baseline, users should expect variance between SSG and DISA FSO
content. For official DISA FSO STIG content, refer to
https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security%2Cbrowser-guidance.
While this profile is packaged by Red Hat as part of the SCAP Security Guide package, please note
that commercial support of this SCAP content is NOT available. This profile is provided as example
SCAP content with no endorsement for suitability or production readiness. Support for this profile
is provided by the upstream SCAP Security Guide community on a best-effort basis. The upstream
project homepage is https://www.open-scap.org/security-policies/scap-security-guide/.
Profiles In Guide To The Secure Configuration Of Debian 11
Source data stream: ssg-debian11-ds.xml
The Guide to the Secure Configuration of Debian 11 is broken into 'profiles', groupings of security
settings that correlate to a known policy. Available profiles are:
ProfileforANSSIDAT-NT28Average(Intermediate)Level
Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_average
This profile contains items for GNU/Linux installations already protected by multiple higher level
security stacks.
ProfileforANSSIDAT-NT28High(Enforced)Level
Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_high
This profile contains items for GNU/Linux installations storing sensitive information that can be
accessible from unauthenticated or uncontroled networks.
ProfileforANSSIDAT-NT28MinimalLevel
Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal
This profile contains items to be applied systematically.
ProfileforANSSIDAT-NT28RestrictiveLevel
Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive
This profile contains items for GNU/Linux installations exposed to unauthenticated flows or
multiple sources.
StandardSystemSecurityProfileforDebian11
Profile ID: xccdf_org.ssgproject.content_profile_standard
This profile contains rules to ensure standard security baseline of a Debian 11 system. Regardless
of your system's workload all of these checks should pass.
Profiles In Guide To The Secure Configuration Of Debian 12
Source data stream: ssg-debian12-ds.xml
The Guide to the Secure Configuration of Debian 12 is broken into 'profiles', groupings of security
settings that correlate to a known policy. Available profiles are:
ANSSI-BP-028(enhanced)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced
This profile contains configurations that align to ANSSI-BP-028 v2.0 at the enhanced hardening
level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la
sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux
systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-
gnulinux/
ANSSI-BP-028(high)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_high
This profile contains configurations that align to ANSSI-BP-028 v2.0 at the high hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la
sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux
systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-
gnulinux/
ANSSI-BP-028(intermediary)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary
This profile contains configurations that align to ANSSI-BP-028 v2.0 at the intermediary hardening
level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la
sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux
systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-
gnulinux/
ANSSI-BP-028(minimal)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_minimal
This profile contains configurations that align to ANSSI-BP-028 v2.0 at the minimal hardening
level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la
sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux
systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-
gnulinux/
ProfileforANSSIDAT-NT28Average(Intermediate)Level
Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_average
This profile contains items for GNU/Linux installations already protected by multiple higher level
security stacks.
ProfileforANSSIDAT-NT28High(Enforced)Level
Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_high
This profile contains items for GNU/Linux installations storing sensitive information that can be
accessible from unauthenticated or uncontroled networks.
ProfileforANSSIDAT-NT28MinimalLevel
Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal
This profile contains items to be applied systematically.
ProfileforANSSIDAT-NT28RestrictiveLevel
Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive
This profile contains items for GNU/Linux installations exposed to unauthenticated flows or
multiple sources.
StandardSystemSecurityProfileforDebian12
Profile ID: xccdf_org.ssgproject.content_profile_standard
This profile contains rules to ensure standard security baseline of a Debian 12 system. Regardless
of your system's workload all of these checks should pass.
Profiles In Guide To The Secure Configuration Of Fedora
Source data stream: ssg-fedora-ds.xml
The Guide to the Secure Configuration of Fedora is broken into 'profiles', groupings of security settings
that correlate to a known policy. Available profiles are:
CUSP-CommonUserSecurityProfileforFedoraWorkstation
Profile ID: xccdf_org.ssgproject.content_profile_cusp_fedora
This profile contains rules to harden Fedora Linux according to the Common User Security Guide for
Fedora Workstation.
OSPP-ProtectionProfileforGeneralPurposeOperatingSystems
Profile ID: xccdf_org.ssgproject.content_profile_ospp
This profile reflects mandatory configuration controls identified in the NIAP Configuration Annex
to the Protection Profile for General Purpose Operating Systems (Protection Profile Version 4.2).
As Fedora OS is moving target, this profile does not guarantee to provide security levels required
from US National Security Systems. Main goal of the profile is to provide Fedora developers with
hardened environment similar to the one mandated by US National Security Systems.
PCI-DSSv3.2.1ControlBaselineforFedora
Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
Ensures PCI-DSS v3.2.1 related security configuration settings are applied.
StandardSystemSecurityProfileforFedora
Profile ID: xccdf_org.ssgproject.content_profile_standard
This profile contains rules to ensure standard security baseline of a Fedora system. Regardless
of your system's workload all of these checks should pass.
Profiles In Guide To The Secure Configuration Of Firefox
Source data stream: ssg-firefox-ds.xml
The Guide to the Secure Configuration of Firefox is broken into 'profiles', groupings of security
settings that correlate to a known policy. Available profiles are:
CUSP-CommonUserSecurityProfileforMozillaFirefox
Profile ID: xccdf_org.ssgproject.content_profile_cusp_firefox
This profile contains rules to harden Mozilla Firefox according to rule 6.1 in the Common User
Security Guide for Fedora Workstation.
MozillaFirefoxSTIG
Profile ID: xccdf_org.ssgproject.content_profile_stig
This profile is developed under the DoD consensus model and DISA FSO Vendor STIG process, serving
as the upstream development environment for the Firefox STIG.
As a result of the upstream/downstream relationship between the SCAP Security Guide project and
the official DISA FSO STIG baseline, users should expect variance between SSG and DISA FSO
content. For official DISA FSO STIG content, refer to
https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security%2Cbrowser-guidance.
While this profile is packaged by Red Hat as part of the SCAP Security Guide package, please note
that commercial support of this SCAP content is NOT available. This profile is provided as example
SCAP content with no endorsement for suitability or production readiness. Support for this profile
is provided by the upstream SCAP Security Guide community on a best-effort basis. The upstream
project homepage is https://www.open-scap.org/security-policies/scap-security-guide/.
Profiles In Guide To The Secure Configuration Of Kylin Server 10
Source data stream: ssg-kylinserver10-ds.xml
The Guide to the Secure Configuration of Kylin Server 10 is broken into 'profiles', groupings of security
settings that correlate to a known policy. Available profiles are:
StandardSystemSecurityProfileforKylinServerV10
Profile ID: xccdf_org.ssgproject.content_profile_standard
This profile contains rules to ensure standard security baseline of an Kylin Server V10.
Regardless of your system's workload all of these checks should pass.
Profiles In Guide To The Secure Configuration Of Openembedded
Source data stream: ssg-openembedded-ds.xml
The Guide to the Secure Configuration of OpenEmbedded is broken into 'profiles', groupings of security
settings that correlate to a known policy. Available profiles are:
SampleexpandedSecurityProfileforOpenEmbeddedDistros
Profile ID: xccdf_org.ssgproject.content_profile_expanded
This profile is a sample for use in documentation and example content. The selected rules include
standard profile plus more network rules and password aging; they should still pass quickly on
most systems.
SampleSecurityProfileforOpenEmbeddedDistros
Profile ID: xccdf_org.ssgproject.content_profile_standard
This profile is an sample for use in documentation and example content. The selected rules are
standard and should pass quickly on most systems.
Profiles In Guide To The Secure Configuration Of Openeuler 2203
Source data stream: ssg-openeuler2203-ds.xml
The Guide to the Secure Configuration of openEuler 2203 is broken into 'profiles', groupings of security
settings that correlate to a known policy. Available profiles are:
StandardSystemSecurityProfileforopenEuler22.03LTS
Profile ID: xccdf_org.ssgproject.content_profile_standard
This profile contains rules to ensure standard security baseline of an openEuler system.
Regardless of your system's workload all of these checks should pass.
Profiles In Guide To The Secure Configuration Of Opensuse
Source data stream: ssg-opensuse-ds.xml
The Guide to the Secure Configuration of openSUSE is broken into 'profiles', groupings of security
settings that correlate to a known policy. Available profiles are:
StandardSystemSecurityProfileforopenSUSE
Profile ID: xccdf_org.ssgproject.content_profile_standard
This profile contains rules to ensure standard security baseline of an openSUSE system. Regardless
of your system's workload all of these checks should pass.
Profiles In Guide To The Secure Configuration Of Oracle Linux 10
Source data stream: ssg-ol10-ds.xml
The Guide to the Secure Configuration of Oracle Linux 10 is broken into 'profiles', groupings of security
settings that correlate to a known policy. Available profiles are:
DRAFT-ANSSI-BP-028(enhanced)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced
This is a draft profile for experimental purposes. This draft profile contains configurations
that align to ANSSI-BP-028 v2.0 at the enhanced hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la
sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux
systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-
gnulinux/
An English version of the ANSSI-BP-028 can also be found at the ANSSI website:
https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system
DRAFT-ANSSI-BP-028(high)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_high
This is a draft profile for experimental purposes. This draft profile contains configurations
that align to ANSSI-BP-028 v2.0 at the high hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la
sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux
systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-
gnulinux/
An English version of the ANSSI-BP-028 can also be found at the ANSSI website:
https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system
DRAFT-ANSSI-BP-028(intermediary)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary
This is a draft profile for experimental purposes. This draft profile contains configurations
that align to ANSSI-BP-028 v2.0 at the intermediary hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la
sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux
systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-
gnulinux/
An English version of the ANSSI-BP-028 can also be found at the ANSSI website:
https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system
DRAFT-ANSSI-BP-028(minimal)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_minimal
This is a draft profile for experimental purposes. This draft profile contains configurations
that align to ANSSI-BP-028 v2.0 at the minimal hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la
sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux
systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-
gnulinux/
An English version of the ANSSI-BP-028 can also be found at the ANSSI website:
https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system
DRAFT-AustralianCyberSecurityCentre(ACSC)EssentialEight
Profile ID: xccdf_org.ssgproject.content_profile_e8
This is a draft profile for experimental purposes.
This draft profile contains configuration checks for Oracle Linux 10 that align to the Australian
Cyber Security Centre (ACSC) Essential Eight.
A copy of the Essential Eight in Linux Environments guide can be found at the ACSC website:
https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-
servers
DRAFT-HealthInsurancePortabilityandAccountabilityAct(HIPAA)
Profile ID: xccdf_org.ssgproject.content_profile_hipaa
This is a draft profile for experimental purposes.
The HIPAA Security Rule establishes U.S. national standards to protect individuals's electronic
personal health information that is created, received, used, or maintained by a covered entity.
The Security Rule requires appropriate administrative, physical and technical safeguards to ensure
the confidentiality, integrity, and security of electronic protected health information.
This draft profile configures Oracle Linux 10 to the HIPAA Security Rule identified for securing
of electronic protected health information. Use of this profile in no way guarantees or makes
claims against legal compliance against the HIPAA Security Rule(s).
DRAFT-AustralianCyberSecurityCentre(ACSC)ISMOfficial-Base
Profile ID: xccdf_org.ssgproject.content_profile_ism_o
This is a draft profile for experimental purposes.
This draft profile contains configuration checks for Oracle Linux 10 that align to the Australian
Cyber Security Centre (ACSC) Information Security Manual (ISM).
The ISM uses a risk-based approach to cyber security. This profile provides a guide to aligning
Oracle Linux security controls with the ISM, which can be used to select controls specific to an
organisation's security posture and risk profile.
A copy of the ISM can be found at the ACSC website:
https://www.cyber.gov.au/ism
DRAFT-AustralianCyberSecurityCentre(ACSC)ISMOfficial-Secret
Profile ID: xccdf_org.ssgproject.content_profile_ism_o_secret
This is a draft profile for experimental purposes.
This draft profile contains configuration checks for Oracle Linux 10 that align to the Australian
Cyber Security Centre (ACSC) Information Security Manual (ISM).
The ISM uses a risk-based approach to cyber security. This profile provides a guide to aligning
Oracle Linux security controls with the ISM, which can be used to select controls specific to an
organisation's security posture and risk profile.
A copy of the ISM can be found at the ACSC website:
https://www.cyber.gov.au/ism
DRAFT-AustralianCyberSecurityCentre(ACSC)ISMOfficial-TopSecret
Profile ID: xccdf_org.ssgproject.content_profile_ism_o_top_secret
This is a draft profile for experimental purposes.
This draft profile contains configuration checks for Oracle Linux 10 that align to the Australian
Cyber Security Centre (ACSC) Information Security Manual (ISM).
The ISM uses a risk-based approach to cyber security. This profile provides a guide to aligning
Oracle Linux security controls with the ISM, which can be used to select controls specific to an
organisation's security posture and risk profile.
A copy of the ISM can be found at the ACSC website:
https://www.cyber.gov.au/ism
DRAFT-PCI-DSSv4.0.1ControlBaselineforOracleLinux10
Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
This is a draft profile for experimental purposes.
Payment Card Industry - Data Security Standard (PCI-DSS) is a set of security standards designed
to ensure the secure handling of payment card data, with the goal of preventing data breaches and
protecting sensitive financial information.
This draft profile ensures Oracle Linux 10 is configured in alignment with PCI-DSS v4.0.1
requirements.
DRAFT-DISASTIGforOracleLinux10
Profile ID: xccdf_org.ssgproject.content_profile_stig
This is a draft profile for experimental purposes. It is not based on the DISA STIG for OL 10,
because it was not available at time of the release.
DRAFT-DISASTIGforOracleLinux10
Profile ID: xccdf_org.ssgproject.content_profile_stig_gui
This is a draft profile for experimental purposes. It is not based on the DISA STIG for OL 10,
because it was not available at time of the release.
Profiles In Guide To The Secure Configuration Of Oracle Linux 7
Source data stream: ssg-ol7-ds.xml
The Guide to the Secure Configuration of Oracle Linux 7 is broken into 'profiles', groupings of security
settings that correlate to a known policy. Available profiles are:
ANSSI-BP-028(enhanced)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_nt28_enhanced
This profile contains configurations that align to ANSSI-BP-028 at the enhanced hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la
sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux
systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-
gnulinux/
DRAFT-ANSSI-BP-028(high)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_nt28_high
This profile contains configurations that align to ANSSI-BP-028 at the high hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la
sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux
systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-
gnulinux/
ANSSI-BP-028(intermediary)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_nt28_intermediary
This profile contains configurations that align to ANSSI-BP-028 at the intermediary hardening
level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la
sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux
systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-
gnulinux/
ANSSI-BP-028(minimal)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_nt28_minimal
This profile contains configurations that align to ANSSI-BP-028 at the minimal hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la
sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux
systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-
gnulinux/
CriminalJusticeInformationServices(CJIS)SecurityPolicy
Profile ID: xccdf_org.ssgproject.content_profile_cjis
This profile is derived from FBI's CJIS v5.4 Security Policy. A copy of this policy can be found
at the CJIS Security Policy Resource Center:
https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center
UnclassifiedInformationinNon-federalInformationSystemsandOrganizations(NIST800-171)
Profile ID: xccdf_org.ssgproject.content_profile_cui
From NIST 800-171, Section 2.2: Security requirements for protecting the confidentiality of CUI in
non-federal information systems and organizations have a well-defined structure that consists of:
(i) a basic security requirements section; (ii) a derived security requirements section.
The basic security requirements are obtained from FIPS Publication 200, which provides the high-
level and fundamental security requirements for federal information and information systems. The
derived security requirements, which supplement the basic security requirements, are taken from
the security controls in NIST Special Publication 800-53.
This profile configures Oracle Linux 7 to the NIST Special Publication 800-53 controls identified
for securing Controlled Unclassified Information (CUI).
DRAFT-AustralianCyberSecurityCentre(ACSC)EssentialEight
Profile ID: xccdf_org.ssgproject.content_profile_e8
This profile contains configuration checks for Oracle Linux 7 that align to the Australian Cyber
Security Centre (ACSC) Essential Eight.
A copy of the Essential Eight in Linux Environments guide can be found at the ACSC website:
https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-
servers
HealthInsurancePortabilityandAccountabilityAct(HIPAA)
Profile ID: xccdf_org.ssgproject.content_profile_hipaa
The HIPAA Security Rule establishes U.S. national standards to protect individuals’ electronic
personal health information that is created, received, used, or maintained by a covered entity.
The Security Rule requires appropriate administrative, physical and technical safeguards to ensure
the confidentiality, integrity, and security of electronic protected health information.
This profile configures Oracle Linux 7 to the HIPAA Security Rule identified for securing of
electronic protected health information. Use of this profile in no way guarantees or makes claims
against legal compliance against the HIPAA Security Rule(s).
NISTNationalChecklistProgramSecurityGuide
Profile ID: xccdf_org.ssgproject.content_profile_ncp
This compliance profile reflects the core set of security related configuration settings for
deployment of Oracle Linux 7 into U.S. Defense, Intelligence, and Civilian agencies. Development
partners and sponsors include the U.S. National Institute of Standards and Technology (NIST), U.S.
Department of Defense, the National Security Agency, and Red Hat.
This baseline implements configuration requirements from the following sources:
- Committee on National Security Systems Instruction No. 1253 (CNSSI 1253) - NIST Controlled
Unclassified Information (NIST 800-171) - NIST 800-53 control selections for MODERATE impact
systems (NIST 800-53) - U.S. Government Configuration Baseline (USGCB) - NIAP Protection Profile
for General Purpose Operating Systems v4.2.1 (OSPP v4.2.1) - DISA Operating System Security
Requirements Guide (OS SRG)
For any differing configuration requirements, e.g. password lengths, the stricter security setting
was chosen. Security Requirement Traceability Guides (RTMs) and sample System Security
Configuration Guides are provided via the scap-security-guide-docs package.
This profile reflects U.S. Government consensus content and is developed through the OpenSCAP/SCAP
Security Guide initiative, championed by the National Security Agency. Except for differences in
formatting to accommodate publishing processes, this profile mirrors OpenSCAP/SCAP Security Guide
content as minor divergences, such as bugfixes, work through the consensus and release processes.
DRAFT-ProtectionProfileforGeneralPurposeOperatingSystems
Profile ID: xccdf_org.ssgproject.content_profile_ospp
This profile reflects mandatory configuration controls identified in the NIAP Configuration Annex
to the Protection Profile for General Purpose Operating Systems (Protection Profile Version
4.2.1).
This configuration profile is consistent with CNSSI-1253, which requires U.S. National Security
Systems to adhere to certain configuration parameters. Accordingly, this configuration profile is
suitable for use in U.S. National Security Systems.
PCI-DSSv3.2.1ControlBaselineDraftforOracleLinux7
Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
Ensures PCI-DSS v3.2.1 related security configuration settings are applied.
SecurityProfileofOracleLinux7forSAP
Profile ID: xccdf_org.ssgproject.content_profile_sap
This profile contains rules for Oracle Linux 7 Operating System in compliance with SAP note
2069760 and SAP Security Baseline Template version 1.9 Item I-8 and section 4.1.2.2. Regardless
of your system's workload all of these checks should pass.
StandardSystemSecurityProfileforOracleLinux7
Profile ID: xccdf_org.ssgproject.content_profile_standard
This profile contains rules to ensure standard security baseline of Oracle Linux 7 system.
Regardless of your system's workload all of these checks should pass.
DISASTIGforOracleLinux7
Profile ID: xccdf_org.ssgproject.content_profile_stig
This profile contains configuration checks that align to the DISA STIG for Oracle Linux V3R1.
DISASTIGwithGUIforOracleLinux7
Profile ID: xccdf_org.ssgproject.content_profile_stig_gui
This profile contains configuration checks that align to the DISA STIG with GUI for Oracle Linux
V3R1.
Warning: The installation and use of a Graphical User Interface (GUI) increases your attack vector
and decreases your overall security posture. If your Information Systems Security Officer (ISSO)
lacks a documented operational requirement for a graphical user interface, please consider using
the standard DISA STIG for Oracle Linux 7 profile.
Profiles In Guide To The Secure Configuration Of Oracle Linux 8
Source data stream: ssg-ol8-ds.xml
The Guide to the Secure Configuration of Oracle Linux 8 is broken into 'profiles', groupings of security
settings that correlate to a known policy. Available profiles are:
ANSSI-BP-028(enhanced)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced
This profile contains configurations that align to ANSSI-BP-028 v2.0 at the enhanced hardening
level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la
sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux
systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-
gnulinux/
ANSSI-BP-028(high)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_high
This profile contains configurations that align to ANSSI-BP-028 v2.0 at the high hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la
sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux
systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-
gnulinux/
ANSSI-BP-028(intermediary)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary
This profile contains configurations that align to ANSSI-BP-028 v2.0 at the intermediary hardening
level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la
sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux
systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-
gnulinux/
ANSSI-BP-028(minimal)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_minimal
This profile contains configurations that align to ANSSI-BP-028 v2.0 at the minimal hardening
level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la
sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux
systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-
gnulinux/
UnclassifiedInformationinNon-federalInformationSystemsandOrganizations(NIST800-171)
Profile ID: xccdf_org.ssgproject.content_profile_cui
From NIST 800-171, Section 2.2: Security requirements for protecting the confidentiality of CUI in
non-federal information systems and organizations have a well-defined structure that consists of:
(i) a basic security requirements section; (ii) a derived security requirements section.
The basic security requirements are obtained from FIPS Publication 200, which provides the high-
level and fundamental security requirements for federal information and information systems. The
derived security requirements, which supplement the basic security requirements, are taken from
the security controls in NIST Special Publication 800-53.
This profile configures Oracle Linux 8 to the NIST Special Publication 800-53 controls identified
for securing Controlled Unclassified Information (CUI).
DRAFT-AustralianCyberSecurityCentre(ACSC)EssentialEight
Profile ID: xccdf_org.ssgproject.content_profile_e8
This profile contains configuration checks for Oracle Linux 8 that align to the Australian Cyber
Security Centre (ACSC) Essential Eight.
A copy of the Essential Eight in Linux Environments guide can be found at the ACSC website:
https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-
servers
HealthInsurancePortabilityandAccountabilityAct(HIPAA)
Profile ID: xccdf_org.ssgproject.content_profile_hipaa
The HIPAA Security Rule establishes U.S. national standards to protect individuals’ electronic
personal health information that is created, received, used, or maintained by a covered entity.
The Security Rule requires appropriate administrative, physical and technical safeguards to ensure
the confidentiality, integrity, and security of electronic protected health information.
This profile configures Oracle Linux 8 to the HIPAA Security Rule identified for securing of
electronic protected health information. Use of this profile in no way guarantees or makes claims
against legal compliance against the HIPAA Security Rule(s).
AustralianCyberSecurityCentre(ACSC)ISMOfficial
Profile ID: xccdf_org.ssgproject.content_profile_ism_o
This profile contains configuration checks for Oracle Linux 8 that align to the Australian Cyber
Security Centre (ACSC) Information Security Manual (ISM).
The ISM uses a risk-based approach to cyber security. This profile provides a guide to aligning
Oracle Linux security controls with the ISM, which can be used to select controls specific to an
organisation's security posture and risk profile.
A copy of the ISM can be found at the ACSC website:
https://www.cyber.gov.au/ism
DRAFT-ProtectionProfileforGeneralPurposeOperatingSystems
Profile ID: xccdf_org.ssgproject.content_profile_ospp
This profile reflects mandatory configuration controls identified in the NIAP Configuration Annex
to the Protection Profile for General Purpose Operating Systems (Protection Profile Version
4.2.1).
This configuration profile is consistent with CNSSI-1253, which requires U.S. National Security
Systems to adhere to certain configuration parameters. Accordingly, this configuration profile is
suitable for use in U.S. National Security Systems.
PCI-DSSv4.0ControlBaselineforOracleLinux8
Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
Payment Card Industry - Data Security Standard (PCI-DSS) is a set of security standards designed
to ensure the secure handling of payment card data, with the goal of preventing data breaches and
protecting sensitive financial information.
This profile ensures Oracle Linux 8 is configured in alignment with PCI-DSS v4.0 requirements.
StandardSystemSecurityProfileforOracleLinux8
Profile ID: xccdf_org.ssgproject.content_profile_standard
This profile contains rules to ensure standard security baseline of Oracle Linux 8 system.
Regardless of your system's workload all of these checks should pass.
DISASTIGforOracleLinux8
Profile ID: xccdf_org.ssgproject.content_profile_stig
This profile contains configuration checks that align to the DISA STIG for Oracle Linux 8 V2R3.
DISASTIGwithGUIforOracleLinux8
Profile ID: xccdf_org.ssgproject.content_profile_stig_gui
This profile contains configuration checks that align to the DISA STIG with GUI for Oracle Linux
V2R3.
Warning: The installation and use of a Graphical User Interface (GUI) increases your attack vector
and decreases your overall security posture. If your Information Systems Security Officer (ISSO)
lacks a documented operational requirement for a graphical user interface, please consider using
the standard DISA STIG for Oracle Linux 8 profile.
Profiles In Guide To The Secure Configuration Of Oracle Linux 9
Source data stream: ssg-ol9-ds.xml
The Guide to the Secure Configuration of Oracle Linux 9 is broken into 'profiles', groupings of security
settings that correlate to a known policy. Available profiles are:
ANSSI-BP-028(enhanced)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced
This profile contains configurations that align to ANSSI-BP-028 at the enhanced hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la
sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux
systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-
gnulinux/
ANSSI-BP-028(high)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_high
This profile contains configurations that align to ANSSI-BP-028 at the high hardening level. ANSSI
is the French National Information Security Agency, and stands for Agence nationale de la sécurité
des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-
gnulinux/
ANSSI-BP-028(intermediary)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary
This profile contains configurations that align to ANSSI-BP-028 at the intermediary hardening
level. ANSSI is the French National Information Security Agency, and stands for Agence nationale
de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for
GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-
gnulinux/
ANSSI-BP-028(minimal)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_minimal
This profile contains configurations that align to ANSSI-BP-028 at the minimal hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la
sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux
systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-
gnulinux/
CentroCriptológicoNacional(CCN)-STICforOracleLinux9-Advanced
Profile ID: xccdf_org.ssgproject.content_profile_ccn_advanced
This profile defines a baseline that aligns with the "Advanced" configuration of the CCN-STIC-620
Guide issued by the National Cryptological Center of Spain in 2022-08.
The CCN-STIC-620 guide includes hardening settings for Oracle Linux 9 at basic, intermediate, and
advanced levels.
CentroCriptológicoNacional(CCN)-STICforOracleLinux9-Basic
Profile ID: xccdf_org.ssgproject.content_profile_ccn_basic
This profile defines a baseline that aligns with the "Basic" configuration of the CCN-STIC-620
Guide issued by the National Cryptological Center of Spain in 2022-08.
The CCN-STIC-620 guide includes hardening settings for Oracle Linux 9 at basic, intermediate, and
advanced levels.
CentroCriptológicoNacional(CCN)-STICforOracleLinux9-Intermediate
Profile ID: xccdf_org.ssgproject.content_profile_ccn_intermediate
This profile defines a baseline that aligns with the "Intermediate" configuration of the CCN-
STIC-620 Guide issued by the National Cryptological Center of Spain in 2022-08.
The CCN-STIC-620 guide includes hardening settings for Oracle Linux 9 at basic, intermediate, and
advanced levels.
DRAFT-UnclassifiedInformationinNon-federalInformationSystemsandOrganizations(NIST800-171)
Profile ID: xccdf_org.ssgproject.content_profile_cui
From NIST 800-171, Section 2.2: Security requirements for protecting the confidentiality of CUI in
nonfederal information systems and organizations have a well-defined structure that consists of:
(i) a basic security requirements section; (ii) a derived security requirements section.
The basic security requirements are obtained from FIPS Publication 200, which provides the high-
level and fundamental security requirements for federal information and information systems. The
derived security requirements, which supplement the basic security requirements, are taken from
the security controls in NIST Special Publication 800-53.
This profile configures Oracle Linux 9 to the NIST Special Publication 800-53 controls identified
for securing Controlled Unclassified Information (CUI)."
AustralianCyberSecurityCentre(ACSC)EssentialEight
Profile ID: xccdf_org.ssgproject.content_profile_e8
This profile contains configuration checks for Oracle Linux 9 that align to the Australian Cyber
Security Centre (ACSC) Essential Eight.
A copy of the Essential Eight in Linux Environments guide can be found at the ACSC website:
https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-
servers
HealthInsurancePortabilityandAccountabilityAct(HIPAA)
Profile ID: xccdf_org.ssgproject.content_profile_hipaa
The HIPAA Security Rule establishes U.S. national standards to protect individuals’ electronic
personal health information that is created, received, used, or maintained by a covered entity.
The Security Rule requires appropriate administrative, physical and technical safeguards to ensure
the confidentiality, integrity, and security of electronic protected health information.
This profile configures Oracle Linux 9 to the HIPAA Security Rule identified for securing of
electronic protected health information. Use of this profile in no way guarantees or makes claims
against legal compliance against the HIPAA Security Rule(s).
AustralianCyberSecurityCentre(ACSC)ISMOfficial
Profile ID: xccdf_org.ssgproject.content_profile_ism_o
This profile contains configuration checks for Oracle Linux 9 that align to the Australian Cyber
Security Centre (ACSC) Information Security Manual (ISM).
The ISM uses a risk-based approach to cyber security. This profile provides a guide to aligning
Oracle Linux security controls with the ISM, which can be used to select controls specific to an
organisation's security posture and risk profile.
A copy of the ISM can be found at the ACSC website:
https://www.cyber.gov.au/ism
DRAFT-ProtectionProfileforGeneralPurposeOperatingSystems
Profile ID: xccdf_org.ssgproject.content_profile_ospp
This profile is part of Oracle Linux 9 Common Criteria Guidance documentation for Target of
Evaluation based on Protection Profile for General Purpose Operating Systems (OSPP) version 4.2.1
and Functional Package for SSH version 1.0.
Where appropriate, CNSSI 1253 or DoD-specific values are used for configuration, based on
Configuration Annex to the OSPP.
PCI-DSSv4.0ControlBaselineforOracleLinux9
Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
Payment Card Industry - Data Security Standard (PCI-DSS) is a set of security standards designed
to ensure the secure handling of payment card data, with the goal of preventing data breaches and
protecting sensitive financial information.
This profile ensures Oracle Linux 9 is configured in alignment with PCI-DSS v4.0 requirements.
StandardSystemSecurityProfileforOracleLinux9
Profile ID: xccdf_org.ssgproject.content_profile_standard
This profile contains rules to ensure standard security baseline of Oracle Linux 9 system.
Regardless of your system's workload all of these checks should pass.
DRAFT-DISASTIGforOracleLinux9
Profile ID: xccdf_org.ssgproject.content_profile_stig
This profile contains configuration checks that align to the [DRAFT] DISA STIG for Oracle Linux 9.
DRAFT-DISASTIGwithGUIforOracleLinux9
Profile ID: xccdf_org.ssgproject.content_profile_stig_gui
This profile contains configuration checks that align to the [DRAFT] DISA STIG for Oracle Linux 9.
Warning: The installation and use of a Graphical User Interface (GUI) increases your attack vector
and decreases your overall security posture. If your Information Systems Security Officer (ISSO)
lacks a documented operational requirement for a graphical user interface, please consider using
the standard DISA STIG for Oracle Linux 9 profile.
Profiles In Guide To The Secure Configuration Of Red Hat Enterprise Linux 10
Source data stream: ssg-rhel10-ds.xml
The Guide to the Secure Configuration of Red Hat Enterprise Linux 10 is broken into 'profiles', groupings
of security settings that correlate to a known policy. Available profiles are:
ANSSI-BP-028(enhanced)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced
This is a draft profile for experimental purposes. This draft profile contains configurations
that align to ANSSI-BP-028 v2.0 at the enhanced hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la
sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux
systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-
gnulinux/
An English version of the ANSSI-BP-028 can also be found at the ANSSI website:
https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system
ANSSI-BP-028(high)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_high
This is a draft profile for experimental purposes. This draft profile contains configurations
that align to ANSSI-BP-028 v2.0 at the high hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la
sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux
systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-
gnulinux/
An English version of the ANSSI-BP-028 can also be found at the ANSSI website:
https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system
ANSSI-BP-028(intermediary)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary
This is a draft profile for experimental purposes. This draft profile contains configurations
that align to ANSSI-BP-028 v2.0 at the intermediary hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la
sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux
systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-
gnulinux/
An English version of the ANSSI-BP-028 can also be found at the ANSSI website:
https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system
ANSSI-BP-028(minimal)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_minimal
This is a draft profile for experimental purposes. This draft profile contains configurations
that align to ANSSI-BP-028 v2.0 at the minimal hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la
sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux
systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-
gnulinux/
An English version of the ANSSI-BP-028 can also be found at the ANSSI website:
https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system
DRAFT-CISRedHatEnterpriseLinux10BenchmarkforLevel2-Server
Profile ID: xccdf_org.ssgproject.content_profile_cis
This is a draft profile for experimental purposes. It is based on the CIS RHEL 9 profile, because
an equivalent policy for RHEL 10 didn't yet exist at time of the release.
DRAFT-CISRedHatEnterpriseLinux10BenchmarkforLevel1-Server
Profile ID: xccdf_org.ssgproject.content_profile_cis_server_l1
This is a draft profile for experimental purposes. It is based on the CIS RHEL 9 profile, because
an equivalent policy for RHEL 10 didn't yet exist at time of the release.
DRAFT-CISRedHatEnterpriseLinux10BenchmarkforLevel1-Workstation
Profile ID: xccdf_org.ssgproject.content_profile_cis_workstation_l1
This is a draft profile for experimental purposes. It is based on the CIS RHEL 9 profile, because
an equivalent policy for RHEL 10 didn't yet exist at time of the release.
DRAFT-CISRedHatEnterpriseLinux10BenchmarkforLevel2-Workstation
Profile ID: xccdf_org.ssgproject.content_profile_cis_workstation_l2
This is a draft profile for experimental purposes. It is based on the CIS RHEL 9 profile, because
an equivalent policy for RHEL 10 didn't yet exist at time of the release.
AustralianCyberSecurityCentre(ACSC)EssentialEight
Profile ID: xccdf_org.ssgproject.content_profile_e8
This is a draft profile for experimental purposes.
This draft profile contains configuration checks for Red Hat Enterprise Linux 10 that align to the
Australian Cyber Security Centre (ACSC) Essential Eight.
A copy of the Essential Eight in Linux Environments guide can be found at the ACSC website:
https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-
servers
HealthInsurancePortabilityandAccountabilityAct(HIPAA)
Profile ID: xccdf_org.ssgproject.content_profile_hipaa
This is a draft profile for experimental purposes.
The HIPAA Security Rule establishes U.S. national standards to protect individuals's electronic
personal health information that is created, received, used, or maintained by a covered entity.
The Security Rule requires appropriate administrative, physical and technical safeguards to ensure
the confidentiality, integrity, and security of electronic protected health information.
This draft profile configures Red Hat Enterprise Linux 10 to the HIPAA Security Rule identified
for securing of electronic protected health information. Use of this profile in no way guarantees
or makes claims against legal compliance against the HIPAA Security Rule(s).
AustralianCyberSecurityCentre(ACSC)ISMOfficial-Base
Profile ID: xccdf_org.ssgproject.content_profile_ism_o
This draft profile contains configuration checks for Red Hat Enterprise Linux 10 that align to the
Australian Cyber Security Centre (ACSC) Information Security Manual (ISM).
The ISM uses a risk-based approach to cyber security. This profile provides a guide to aligning
Red Hat Enterprise Linux security controls with the ISM, which can be used to select controls
specific to an organisation's security posture and risk profile.
A copy of the ISM can be found at the ACSC website:
https://www.cyber.gov.au/ism
AustralianCyberSecurityCentre(ACSC)ISMOfficial-Secret
Profile ID: xccdf_org.ssgproject.content_profile_ism_o_secret
This is a draft profile for experimental purposes.
This draft profile contains configuration checks for Red Hat Enterprise Linux 10 that align to the
Australian Cyber Security Centre (ACSC) Information Security Manual (ISM).
The ISM uses a risk-based approach to cyber security. This profile provides a guide to aligning
Red Hat Enterprise Linux security controls with the ISM, which can be used to select controls
specific to an organisation's security posture and risk profile.
A copy of the ISM can be found at the ACSC website:
https://www.cyber.gov.au/ism
AustralianCyberSecurityCentre(ACSC)ISMOfficial-TopSecret
Profile ID: xccdf_org.ssgproject.content_profile_ism_o_top_secret
This draft profile contains configuration checks for Red Hat Enterprise Linux 10 that align to the
Australian Cyber Security Centre (ACSC) Information Security Manual (ISM).
The ISM uses a risk-based approach to cyber security. This profile provides a guide to aligning
Red Hat Enterprise Linux security controls with the ISM, which can be used to select controls
specific to an organisation's security posture and risk profile.
A copy of the ISM can be found at the ACSC website:
https://www.cyber.gov.au/ism
DRAFT-ProtectionProfileforGeneralPurposeOperatingSystems
Profile ID: xccdf_org.ssgproject.content_profile_ospp
This is draft profile is based on the Red Hat Enterprise Linux 9 Common Criteria Guidance as
guidance for Red Hat Enterprise Linux 10 was not available at the time of release.
Where appropriate, CNSSI 1253 or DoD-specific values are used for configuration, based on
Configuration Annex to the OSPP.
PCI-DSSv4.0.1ControlBaselineforRedHatEnterpriseLinux10
Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
This is a draft profile for experimental purposes.
Payment Card Industry - Data Security Standard (PCI-DSS) is a set of security standards designed
to ensure the secure handling of payment card data, with the goal of preventing data breaches and
protecting sensitive financial information.
This draft profile ensures Red Hat Enterprise Linux 10 is configured in alignment with PCI-DSS
v4.0.1 requirements.
RedHatSTIGforRedHatEnterpriseLinux10
Profile ID: xccdf_org.ssgproject.content_profile_stig
This is a profile based on what is expected in the RHEL 10 STIG. It is not based on the DISA STIG
for RHEL 10, because it was not available at time of the release.
In addition to being applicable to Red Hat Enterprise Linux 10, this configuration baseline is
applicable to the operating system tier of Red Hat technologies that are based on Red Hat
Enterprise Linux 10.
RedHatSTIGforRedHatEnterpriseLinux10
Profile ID: xccdf_org.ssgproject.content_profile_stig_gui
This is a profile based on what is expected in the RHEL 10 STIG.: It is not based on the DISA STIG
for RHEL 10, because it was not available at time of the release.
In addition to being applicable to Red Hat Enterprise Linux 10, this configuration baseline is
applicable to the operating system tier of Red Hat technologies that are based on Red Hat
Enterprise Linux 10.
Profiles In Guide To The Secure Configuration Of Red Hat Enterprise Linux 8
Source data stream: ssg-rhel8-ds.xml
The Guide to the Secure Configuration of Red Hat Enterprise Linux 8 is broken into 'profiles', groupings
of security settings that correlate to a known policy. Available profiles are:
ANSSI-BP-028(enhanced)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced
This profile contains configurations that align to ANSSI-BP-028 v2.0 at the enhanced hardening
level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la
sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux
systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-
gnulinux/
An English version of the ANSSI-BP-028 can also be found at the ANSSI website:
https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system
ANSSI-BP-028(high)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_high
This profile contains configurations that align to ANSSI-BP-028 v2.0 at the high hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la
sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux
systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-
gnulinux/
An English version of the ANSSI-BP-028 can also be found at the ANSSI website:
https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system
ANSSI-BP-028(intermediary)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary
This profile contains configurations that align to ANSSI-BP-028 v2.0 at the intermediary hardening
level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la
sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux
systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-
gnulinux/
An English version of the ANSSI-BP-028 can also be found at the ANSSI website:
https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system
ANSSI-BP-028(minimal)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_minimal
This profile contains configurations that align to ANSSI-BP-028 v2.0 at the minimal hardening
level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la
sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux
systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-
gnulinux/
An English version of the ANSSI-BP-028 can also be found at the ANSSI website:
https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system
CISRedHatEnterpriseLinux8BenchmarkforLevel2-Server
Profile ID: xccdf_org.ssgproject.content_profile_cis
This profile defines a baseline that aligns to the "Level 2 - Server" configuration from the
Center for Internet Security® Red Hat Enterprise Linux 8 Benchmark™, v3.0.0, released 2023-10-30.
This profile includes Center for Internet Security® Red Hat Enterprise Linux 8 CIS Benchmarks™
content.
CISRedHatEnterpriseLinux8BenchmarkforLevel1-Server
Profile ID: xccdf_org.ssgproject.content_profile_cis_server_l1
This profile defines a baseline that aligns to the "Level 1 - Server" configuration from the
Center for Internet Security® Red Hat Enterprise Linux 8 Benchmark™, v3.0.0, released 2023-10-30.
This profile includes Center for Internet Security® Red Hat Enterprise Linux 8 CIS Benchmarks™
content.
CISRedHatEnterpriseLinux8BenchmarkforLevel1-Workstation
Profile ID: xccdf_org.ssgproject.content_profile_cis_workstation_l1
This profile defines a baseline that aligns to the "Level 1 - Workstation" configuration from the
Center for Internet Security® Red Hat Enterprise Linux 8 Benchmark™, v3.0.0, released 2023-10-30.
This profile includes Center for Internet Security® Red Hat Enterprise Linux 8 CIS Benchmarks™
content.
CISRedHatEnterpriseLinux8BenchmarkforLevel2-Workstation
Profile ID: xccdf_org.ssgproject.content_profile_cis_workstation_l2
This profile defines a baseline that aligns to the "Level 2 - Workstation" configuration from the
Center for Internet Security® Red Hat Enterprise Linux 8 Benchmark™, v3.0.0, released 2023-10-30.
This profile includes Center for Internet Security® Red Hat Enterprise Linux 8 CIS Benchmarks™
content.
UnclassifiedInformationinNon-federalInformationSystemsandOrganizations(NIST800-171)
Profile ID: xccdf_org.ssgproject.content_profile_cui
From NIST 800-171, Section 2.2: Security requirements for protecting the confidentiality of CUI in
nonfederal information systems and organizations have a well-defined structure that consists of:
(i) a basic security requirements section; (ii) a derived security requirements section.
The basic security requirements are obtained from FIPS Publication 200, which provides the high-
level and fundamental security requirements for federal information and information systems. The
derived security requirements, which supplement the basic security requirements, are taken from
the security controls in NIST Special Publication 800-53.
This profile configures Red Hat Enterprise Linux 8 to the NIST Special Publication 800-53 controls
identified for securing Controlled Unclassified Information (CUI)."
AustralianCyberSecurityCentre(ACSC)EssentialEight
Profile ID: xccdf_org.ssgproject.content_profile_e8
This profile contains configuration checks for Red Hat Enterprise Linux 8 that align to the
Australian Cyber Security Centre (ACSC) Essential Eight.
A copy of the Essential Eight in Linux Environments guide can be found at the ACSC website:
https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-
servers
HealthInsurancePortabilityandAccountabilityAct(HIPAA)
Profile ID: xccdf_org.ssgproject.content_profile_hipaa
The HIPAA Security Rule establishes U.S. national standards to protect individuals’ electronic
personal health information that is created, received, used, or maintained by a covered entity.
The Security Rule requires appropriate administrative, physical and technical safeguards to ensure
the confidentiality, integrity, and security of electronic protected health information.
This profile configures Red Hat Enterprise Linux 8 to the HIPAA Security Rule identified for
securing of electronic protected health information. Use of this profile in no way guarantees or
makes claims against legal compliance against the HIPAA Security Rule(s).
AustralianCyberSecurityCentre(ACSC)ISMOfficial
Profile ID: xccdf_org.ssgproject.content_profile_ism_o
This profile contains configuration checks for Red Hat Enterprise Linux 8 that align to the
Australian Cyber Security Centre (ACSC) Information Security Manual (ISM) with the applicability
marking of OFFICIAL.
The ISM uses a risk-based approach to cyber security. This profile provides a guide to aligning
Red Hat Enterprise Linux security controls with the ISM, which can be used to select controls
specific to an organisation's security posture and risk profile.
A copy of the ISM can be found at the ACSC website:
https://www.cyber.gov.au/ism
ProtectionProfileforGeneralPurposeOperatingSystems
Profile ID: xccdf_org.ssgproject.content_profile_ospp
This profile reflects mandatory configuration controls identified in the NIAP Configuration Annex
to the Protection Profile for General Purpose Operating Systems (Protection Profile Version
4.2.1).
This configuration profile is consistent with CNSSI-1253, which requires U.S. National Security
Systems to adhere to certain configuration parameters. Accordingly, this configuration profile is
suitable for use in U.S. National Security Systems.
PCI-DSSv4.0.1ControlBaselineforRedHatEnterpriseLinux8
Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
Payment Card Industry - Data Security Standard (PCI-DSS) is a set of security standards designed
to ensure the secure handling of payment card data, with the goal of preventing data breaches and
protecting sensitive financial information.
This profile ensures Red Hat Enterprise Linux 8 is configured in alignment with PCI-DSS v4.0.1
requirements.
DISASTIGforRedHatEnterpriseLinux8
Profile ID: xccdf_org.ssgproject.content_profile_stig
This profile contains configuration checks that align to the DISA STIG for Red Hat Enterprise
Linux 8 V2R2.
In addition to being applicable to Red Hat Enterprise Linux 8, this configuration baseline is
applicable to the operating system tier of Red Hat technologies that are based on Red Hat
Enterprise Linux 8, such as:
- Red Hat Enterprise Linux Server - Red Hat Enterprise Linux Workstation and Desktop - Red Hat
Enterprise Linux for HPC - Red Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux 8
image
DISASTIGwithGUIforRedHatEnterpriseLinux8
Profile ID: xccdf_org.ssgproject.content_profile_stig_gui
This profile contains configuration checks that align to the DISA STIG with GUI for Red Hat
Enterprise Linux 8 V2R2.
In addition to being applicable to Red Hat Enterprise Linux 8, this configuration baseline is
applicable to the operating system tier of Red Hat technologies that are based on Red Hat
Enterprise Linux 8, such as:
- Red Hat Enterprise Linux Server - Red Hat Enterprise Linux Workstation and Desktop - Red Hat
Enterprise Linux for HPC - Red Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux 8
image
Warning: The installation and use of a Graphical User Interface (GUI) increases your attack vector
and decreases your overall security posture. If your Information Systems Security Officer (ISSO)
lacks a documented operational requirement for a graphical user interface, please consider using
the standard DISA STIG for Red Hat Enterprise Linux 8 profile.
Profiles In Guide To The Secure Configuration Of Red Hat Enterprise Linux 9
Source data stream: ssg-rhel9-ds.xml
The Guide to the Secure Configuration of Red Hat Enterprise Linux 9 is broken into 'profiles', groupings
of security settings that correlate to a known policy. Available profiles are:
ANSSI-BP-028(enhanced)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced
This profile contains configurations that align to ANSSI-BP-028 v2.0 at the enhanced hardening
level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la
sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux
systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-
gnulinux/
An English version of the ANSSI-BP-028 can also be found at the ANSSI website:
https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system
ANSSI-BP-028(high)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_high
This profile contains configurations that align to ANSSI-BP-028 v2.0 at the high hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la
sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux
systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-
gnulinux/
An English version of the ANSSI-BP-028 can also be found at the ANSSI website:
https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system
ANSSI-BP-028(intermediary)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary
This profile contains configurations that align to ANSSI-BP-028 v2.0 at the intermediary hardening
level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la
sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux
systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-
gnulinux/
An English version of the ANSSI-BP-028 can also be found at the ANSSI website:
https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system
ANSSI-BP-028(minimal)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_minimal
This profile contains configurations that align to ANSSI-BP-028 v2.0 at the minimal hardening
level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la
sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux
systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-
gnulinux/
An English version of the ANSSI-BP-028 can also be found at the ANSSI website:
https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system
CentroCriptológicoNacional(CCN)-STICforRedHatEnterpriseLinux9-Advanced
Profile ID: xccdf_org.ssgproject.content_profile_ccn_advanced
This profile defines a baseline that aligns with the "Advanced" configuration of the CCN-
STIC-610A22 Guide issued by the National Cryptological Center of Spain in 2022-10.
The CCN-STIC-610A22 guide includes hardening settings for Red Hat Enterprise Linux 9 at basic,
intermediate, and advanced levels.
CentroCriptológicoNacional(CCN)-STICforRedHatEnterpriseLinux9-Basic
Profile ID: xccdf_org.ssgproject.content_profile_ccn_basic
This profile defines a baseline that aligns with the "Basic" configuration of the CCN-STIC-610A22
Guide issued by the National Cryptological Center of Spain in 2022-10.
The CCN-STIC-610A22 guide includes hardening settings for Red Hat Enterprise Linux 9 at basic,
intermediate, and advanced levels.
CentroCriptológicoNacional(CCN)-STICforRedHatEnterpriseLinux9-Intermediate
Profile ID: xccdf_org.ssgproject.content_profile_ccn_intermediate
This profile defines a baseline that aligns with the "Intermediate" configuration of the CCN-
STIC-610A22 Guide issued by the National Cryptological Center of Spain in 2022-10.
The CCN-STIC-610A22 guide includes hardening settings for Red Hat Enterprise Linux 9 at basic,
intermediate, and advanced levels.
CISRedHatEnterpriseLinux9BenchmarkforLevel2-Server
Profile ID: xccdf_org.ssgproject.content_profile_cis
This profile defines a baseline that aligns to the "Level 2 - Server" configuration from the
Center for Internet Security® Red Hat Enterprise Linux 9 Benchmark™, v2.0.0, released 2024-06-20.
This profile includes Center for Internet Security® Red Hat Enterprise Linux 9 CIS Benchmarks™
content.
CISRedHatEnterpriseLinux9BenchmarkforLevel1-Server
Profile ID: xccdf_org.ssgproject.content_profile_cis_server_l1
This profile defines a baseline that aligns to the "Level 1 - Server" configuration from the
Center for Internet Security® Red Hat Enterprise Linux 9 Benchmark™, v2.0.0, released 2024-06-20.
This profile includes Center for Internet Security® Red Hat Enterprise Linux 9 CIS Benchmarks™
content.
CISRedHatEnterpriseLinux9BenchmarkforLevel1-Workstation
Profile ID: xccdf_org.ssgproject.content_profile_cis_workstation_l1
This profile defines a baseline that aligns to the "Level 1 - Workstation" configuration from the
Center for Internet Security® Red Hat Enterprise Linux 9 Benchmark™, v2.0.0, released 2024-06-20.
This profile includes Center for Internet Security® Red Hat Enterprise Linux 9 CIS Benchmarks™
content.
CISRedHatEnterpriseLinux9BenchmarkforLevel2-Workstation
Profile ID: xccdf_org.ssgproject.content_profile_cis_workstation_l2
This profile defines a baseline that aligns to the "Level 2 - Workstation" configuration from the
Center for Internet Security® Red Hat Enterprise Linux 9 Benchmark™, v2.0.0, released 2024-06-20.
This profile includes Center for Internet Security® Red Hat Enterprise Linux 9 CIS Benchmarks™
content.
DRAFT-UnclassifiedInformationinNon-federalInformationSystemsandOrganizations(NIST800-171)
Profile ID: xccdf_org.ssgproject.content_profile_cui
From NIST 800-171, Section 2.2: Security requirements for protecting the confidentiality of CUI in
nonfederal information systems and organizations have a well-defined structure that consists of:
(i) a basic security requirements section; (ii) a derived security requirements section.
The basic security requirements are obtained from FIPS Publication 200, which provides the high-
level and fundamental security requirements for federal information and information systems. The
derived security requirements, which supplement the basic security requirements, are taken from
the security controls in NIST Special Publication 800-53.
This profile configures Red Hat Enterprise Linux 9 to the NIST Special Publication 800-53 controls
identified for securing Controlled Unclassified Information (CUI)."
AustralianCyberSecurityCentre(ACSC)EssentialEight
Profile ID: xccdf_org.ssgproject.content_profile_e8
This profile contains configuration checks for Red Hat Enterprise Linux 9 that align to the
Australian Cyber Security Centre (ACSC) Essential Eight.
A copy of the Essential Eight in Linux Environments guide can be found at the ACSC website:
https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-
servers
HealthInsurancePortabilityandAccountabilityAct(HIPAA)
Profile ID: xccdf_org.ssgproject.content_profile_hipaa
The HIPAA Security Rule establishes U.S. national standards to protect individuals’ electronic
personal health information that is created, received, used, or maintained by a covered entity.
The Security Rule requires appropriate administrative, physical and technical safeguards to ensure
the confidentiality, integrity, and security of electronic protected health information.
This profile configures Red Hat Enterprise Linux 9 to the HIPAA Security Rule identified for
securing of electronic protected health information. Use of this profile in no way guarantees or
makes claims against legal compliance against the HIPAA Security Rule(s).
AustralianCyberSecurityCentre(ACSC)ISMOfficial
Profile ID: xccdf_org.ssgproject.content_profile_ism_o
This profile contains configuration checks for Red Hat Enterprise Linux 9 that align to the
Australian Cyber Security Centre (ACSC) Information Security Manual (ISM) with the applicability
marking of OFFICIAL.
The ISM uses a risk-based approach to cyber security. This profile provides a guide to aligning
Red Hat Enterprise Linux security controls with the ISM, which can be used to select controls
specific to an organisation's security posture and risk profile.
A copy of the ISM can be found at the ACSC website:
https://www.cyber.gov.au/ism
ProtectionProfileforGeneralPurposeOperatingSystems
Profile ID: xccdf_org.ssgproject.content_profile_ospp
This profile is part of Red Hat Enterprise Linux 9 Common Criteria Guidance documentation for
Target of Evaluation based on Protection Profile for General Purpose Operating Systems (OSPP)
version 4.3 and Functional Package for SSH version 1.0.
Where appropriate, CNSSI 1253 or DoD-specific values are used for configuration, based on
Configuration Annex to the OSPP.
PCI-DSSv4.0.1ControlBaselineforRedHatEnterpriseLinux9
Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
Payment Card Industry - Data Security Standard (PCI-DSS) is a set of security standards designed
to ensure the secure handling of payment card data, with the goal of preventing data breaches and
protecting sensitive financial information.
This profile ensures Red Hat Enterprise Linux 9 is configured in alignment with PCI-DSS v4.0.1
requirements.
DISASTIGforRedHatEnterpriseLinux9
Profile ID: xccdf_org.ssgproject.content_profile_stig
This profile contains configuration checks that align to the DISA STIG for Red Hat Enterprise
Linux 9 V2R3.
In addition to being applicable to Red Hat Enterprise Linux 9, this configuration baseline is
applicable to the operating system tier of Red Hat technologies that are based on Red Hat
Enterprise Linux 9, such as:
- Red Hat Enterprise Linux Server - Red Hat Enterprise Linux Workstation and Desktop - Red Hat
Enterprise Linux for HPC - Red Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux 9
image
DISASTIGwithGUIforRedHatEnterpriseLinux9
Profile ID: xccdf_org.ssgproject.content_profile_stig_gui
This profile contains configuration checks that align to the DISA STIG for Red Hat Enterprise
Linux 9 V2R3.
In addition to being applicable to Red Hat Enterprise Linux 9, this configuration baseline is
applicable to the operating system tier of Red Hat technologies that are based on Red Hat
Enterprise Linux 9, such as:
- Red Hat Enterprise Linux Server - Red Hat Enterprise Linux Workstation and Desktop - Red Hat
Enterprise Linux for HPC - Red Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux 9
image
Warning: The installation and use of a Graphical User Interface (GUI) increases your attack vector
and decreases your overall security posture. If your Information Systems Security Officer (ISSO)
lacks a documented operational requirement for a graphical user interface, please consider using
the standard DISA STIG for Red Hat Enterprise Linux 9 profile.
Profiles In Guide To The Secure Configuration Of Red Hat Enterprise Linux Coreos 4
Source data stream: ssg-rhcos4-ds.xml
The Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4 is broken into 'profiles',
groupings of security settings that correlate to a known policy. Available profiles are:
DRAFT-ANSSI-BP-028(enhanced)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced
This profile contains configurations that align to ANSSI-BP-028 at the enhanced hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la
sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux
systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-
gnulinux/
DRAFT-ANSSI-BP-028(high)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_high
This profile contains configurations that align to ANSSI-BP-028 at the high hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la
sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux
systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-
gnulinux/
DRAFT-ANSSI-BP-028(intermediary)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary
This profile contains configurations that align to ANSSI-BP-028 at the intermediary hardening
level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la
sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux
systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-
gnulinux/
DRAFT-ANSSI-BP-028(minimal)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_minimal
This profile contains configurations that align to ANSSI-BP-028 at the minimal hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la
sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux
systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-
gnulinux/
DRAFT-BSIAPP.4.4.andSYS.1.6
Profile ID: xccdf_org.ssgproject.content_profile_bsi-2022
This profile defines a baseline that aligns to the BSI (Federal Office for Security Information)
IT-Grundschutz Basic-Protection.
This baseline implements OS-Level configuration requirements from the following sources:
- Building-Block SYS.1.6 Containerisation - Building-Block APP.4.4 Kubernetes
THIS DOES NOT INCLUDE REQUIREMENTS FOR A HARDENED LINUX FROM SYS.1.3 LINUX
DRAFT-BSIAPP.4.4.andSYS.1.6
Profile ID: xccdf_org.ssgproject.content_profile_bsi
This profile defines a baseline that aligns to the BSI (Federal Office for Security Information)
IT-Grundschutz Basic-Protection.
This baseline implements OS-Level configuration requirements from the following sources:
- Building-Block SYS.1.6 Containerisation - Building-Block APP.4.4 Kubernetes
THIS DOES NOT INCLUDE REQUIREMENTS FOR A HARDENED LINUX FROM SYS.1.3 LINUX
AustralianCyberSecurityCentre(ACSC)EssentialEight
Profile ID: xccdf_org.ssgproject.content_profile_e8
This profile contains configuration checks for Red Hat Enterprise Linux CoreOS that align to the
Australian Cyber Security Centre (ACSC) Essential Eight.
A copy of the Essential Eight in Linux Environments guide can be found at the ACSC website:
https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-
servers
NIST800-53High-ImpactBaselineforRedHatEnterpriseLinuxCoreOS
Profile ID: xccdf_org.ssgproject.content_profile_high-rev-4
This compliance profile reflects the core set of High-Impact Baseline configuration settings for
deployment of Red Hat Enterprise Linux CoreOS into U.S. Defense, Intelligence, and Civilian
agencies. Development partners and sponsors include the U.S. National Institute of Standards and
Technology (NIST), U.S. Department of Defense, the National Security Agency, and Red Hat.
This baseline implements configuration requirements from the following sources:
- NIST 800-53 control selections for High-Impact systems (NIST 800-53)
For any differing configuration requirements, e.g. password lengths, the stricter security setting
was chosen. Security Requirement Traceability Guides (RTMs) and sample System Security
Configuration Guides are provided via the scap-security-guide-docs package.
This profile reflects U.S. Government consensus content and is developed through the
ComplianceAsCode initiative, championed by the National Security Agency. Except for differences in
formatting to accommodate publishing processes, this profile mirrors ComplianceAsCode content as
minor divergences, such as bugfixes, work through the consensus and release processes.
NIST800-53High-ImpactBaselineforRedHatEnterpriseLinuxCoreOS
Profile ID: xccdf_org.ssgproject.content_profile_high
This compliance profile reflects the core set of High-Impact Baseline configuration settings for
deployment of Red Hat Enterprise Linux CoreOS into U.S. Defense, Intelligence, and Civilian
agencies. Development partners and sponsors include the U.S. National Institute of Standards and
Technology (NIST), U.S. Department of Defense, the National Security Agency, and Red Hat.
This baseline implements configuration requirements from the following sources:
- NIST 800-53 control selections for High-Impact systems (NIST 800-53)
For any differing configuration requirements, e.g. password lengths, the stricter security setting
was chosen. Security Requirement Traceability Guides (RTMs) and sample System Security
Configuration Guides are provided via the scap-security-guide-docs package.
This profile reflects U.S. Government consensus content and is developed through the
ComplianceAsCode initiative, championed by the National Security Agency. Except for differences in
formatting to accommodate publishing processes, this profile mirrors ComplianceAsCode content as
minor divergences, such as bugfixes, work through the consensus and release processes.
NIST800-53Moderate-ImpactBaselineforRedHatEnterpriseLinuxCoreOS
Profile ID: xccdf_org.ssgproject.content_profile_moderate-rev-4
This compliance profile reflects the core set of Moderate-Impact Baseline configuration settings
for deployment of Red Hat Enterprise Linux CoreOS into U.S. Defense, Intelligence, and Civilian
agencies. Development partners and sponsors include the U.S. National Institute of Standards and
Technology (NIST), U.S. Department of Defense, the National Security Agency, and Red Hat.
This baseline implements configuration requirements from the following sources:
- NIST 800-53 control selections for Moderate-Impact systems (NIST 800-53)
For any differing configuration requirements, e.g. password lengths, the stricter security setting
was chosen. Security Requirement Traceability Guides (RTMs) and sample System Security
Configuration Guides are provided via the scap-security-guide-docs package.
This profile reflects U.S. Government consensus content and is developed through the
ComplianceAsCode initiative, championed by the National Security Agency. Except for differences in
formatting to accommodate publishing processes, this profile mirrors ComplianceAsCode content as
minor divergences, such as bugfixes, work through the consensus and release processes.
NIST800-53Moderate-ImpactBaselineforRedHatEnterpriseLinuxCoreOS
Profile ID: xccdf_org.ssgproject.content_profile_moderate
This compliance profile reflects the core set of Moderate-Impact Baseline configuration settings
for deployment of Red Hat Enterprise Linux CoreOS into U.S. Defense, Intelligence, and Civilian
agencies. Development partners and sponsors include the U.S. National Institute of Standards and
Technology (NIST), U.S. Department of Defense, the National Security Agency, and Red Hat.
This baseline implements configuration requirements from the following sources:
- NIST 800-53 control selections for Moderate-Impact systems (NIST 800-53)
For any differing configuration requirements, e.g. password lengths, the stricter security setting
was chosen. Security Requirement Traceability Guides (RTMs) and sample System Security
Configuration Guides are provided via the scap-security-guide-docs package.
This profile reflects U.S. Government consensus content and is developed through the
ComplianceAsCode initiative, championed by the National Security Agency. Except for differences in
formatting to accommodate publishing processes, this profile mirrors ComplianceAsCode content as
minor divergences, such as bugfixes, work through the consensus and release processes.
NorthAmericanElectricReliabilityCorporation(NERC)CriticalInfrastructureProtection(CIP)cybersecuritystandardsprofileforRedHatEnterpriseLinuxCoreOS
Profile ID: xccdf_org.ssgproject.content_profile_nerc-cip
This compliance profile reflects a set of security recommendations for the usage of Red Hat
Enterprise Linux CoreOS in critical infrastructure in the energy sector. This follows the
recommendations coming from the following CIP standards:
- CIP-002-5 - CIP-003-8 - CIP-004-6 - CIP-005-6 - CIP-007-3 - CIP-007-6 - CIP-009-6
DISASTIGforRedHatEnterpriseLinuxCoreOS
Profile ID: xccdf_org.ssgproject.content_profile_stig-v1r1
This profile contains configuration checks that align to the DISA STIG for Red Hat Enterprise
Linux CoreOS 4.
DISASTIGforRedHatEnterpriseLinuxCoreOS
Profile ID: xccdf_org.ssgproject.content_profile_stig-v2r1
This profile contains configuration checks that align to the DISA STIG for Red Hat Enterprise
Linux CoreOS 4.
DISASTIGforRedHatEnterpriseLinuxCoreOS
Profile ID: xccdf_org.ssgproject.content_profile_stig
This profile contains configuration checks that align to the DISA STIG for Red Hat Enterprise
Linux CoreOS 4.
Profiles In Guide To The Secure Configuration Of Red Hat Openshift Container Platform 4
Source data stream: ssg-ocp4-ds.xml
The Guide to the Secure Configuration of Red Hat OpenShift Container Platform 4 is broken into
'profiles', groupings of security settings that correlate to a known policy. Available profiles are:
BSIIT-Grundschutz(BasicProtection)BuildingBlockSYS.1.6andAPP.4.4
Profile ID: xccdf_org.ssgproject.content_profile_bsi-2022
This profile defines a baseline that aligns to the BSI (Federal Office for Security Information)
IT-Grundschutz Basic-Protection.
This baseline implements configuration requirements from the following sources:
- Building-Block SYS.1.6 Containerisation - Building-Block APP.4.4 Kubernetes
BSIIT-Grundschutz(BasicProtection)BuildingBlockSYS.1.6andAPP.4.4
Profile ID: xccdf_org.ssgproject.content_profile_bsi-node-2022
This profile defines a baseline that aligns to the BSI (Federal Office for Security Information)
IT-Grundschutz Basic-Protection.
This baseline implements configuration requirements from the following sources:
- Building-Block SYS.1.6 Containerisation - Building-Block APP.4.4 Kubernetes
BSIIT-Grundschutz(BasicProtection)BuildingBlockSYS.1.6andAPP.4.4
Profile ID: xccdf_org.ssgproject.content_profile_bsi-node
This profile defines a baseline that aligns to the BSI (Federal Office for Security Information)
IT-Grundschutz Basic-Protection.
This baseline implements configuration requirements from the following sources:
- Building-Block SYS.1.6 Containerisation - Building-Block APP.4.4 Kubernetes
BSIIT-Grundschutz(BasicProtection)BuildingBlockSYS.1.6andAPP.4.4
Profile ID: xccdf_org.ssgproject.content_profile_bsi
This profile defines a baseline that aligns to the BSI (Federal Office for Security Information)
IT-Grundschutz Basic-Protection.
This baseline implements configuration requirements from the following sources:
- Building-Block SYS.1.6 Containerisation - Building-Block APP.4.4 Kubernetes
CISRedHatOpenShiftContainerPlatform4Benchmark
Profile ID: xccdf_org.ssgproject.content_profile_cis-1-4
This profile defines a baseline that aligns to the Center for Internet Security® Red Hat OpenShift
Container Platform 4 Benchmark™, V1.4.
This profile includes Center for Internet Security® Red Hat OpenShift Container Platform 4 CIS
Benchmarks™ content.
Note that this part of the profile is meant to run on the Platform that Red Hat OpenShift
Container Platform 4 runs on top of.
This profile is applicable to OpenShift versions 4.10 and greater.
CISRedHatOpenShiftContainerPlatform4Benchmark
Profile ID: xccdf_org.ssgproject.content_profile_cis-1-5
This profile defines a baseline that aligns to the Center for Internet Security® Red Hat OpenShift
Container Platform 4 Benchmark™, V1.5.
This profile includes Center for Internet Security® Red Hat OpenShift Container Platform 4 CIS
Benchmarks™ content.
Note that this part of the profile is meant to run on the Platform that Red Hat OpenShift
Container Platform 4 runs on top of.
This profile is applicable to OpenShift versions 4.12 and greater.
CISRedHatOpenShiftContainerPlatform4Benchmark
Profile ID: xccdf_org.ssgproject.content_profile_cis-node-1-4
This profile defines a baseline that aligns to the Center for Internet Security® Red Hat OpenShift
Container Platform 4 Benchmark™, V1.4.
This profile includes Center for Internet Security® Red Hat OpenShift Container Platform 4 CIS
Benchmarks™ content.
Note that this part of the profile is meant to run on the Operating System that Red Hat OpenShift
Container Platform 4 runs on top of.
This profile is applicable to OpenShift versions 4.10 and greater.
CISRedHatOpenShiftContainerPlatform4Benchmark
Profile ID: xccdf_org.ssgproject.content_profile_cis-node-1-5
This profile defines a baseline that aligns to the Center for Internet Security® Red Hat OpenShift
Container Platform 4 Benchmark™, V1.5.
This profile includes Center for Internet Security® Red Hat OpenShift Container Platform 4 CIS
Benchmarks™ content.
Note that this part of the profile is meant to run on the Operating System that Red Hat OpenShift
Container Platform 4 runs on top of.
This profile is applicable to OpenShift versions 4.12 and greater.
CISRedHatOpenShiftContainerPlatform4Benchmark
Profile ID: xccdf_org.ssgproject.content_profile_cis-node
This profile defines a baseline that aligns to the Center for Internet Security® Red Hat OpenShift
Container Platform 4 Benchmark™, V1.5.
This profile includes Center for Internet Security® Red Hat OpenShift Container Platform 4 CIS
Benchmarks™ content.
Note that this part of the profile is meant to run on the Operating System that Red Hat OpenShift
Container Platform 4 runs on top of.
This profile is applicable to OpenShift versions 4.12 and greater.
CISRedHatOpenShiftContainerPlatform4Benchmark
Profile ID: xccdf_org.ssgproject.content_profile_cis
This profile defines a baseline that aligns to the Center for Internet Security® Red Hat OpenShift
Container Platform 4 Benchmark™, V1.5.
This profile includes Center for Internet Security® Red Hat OpenShift Container Platform 4 CIS
Benchmarks™ content.
Note that this part of the profile is meant to run on the Platform that Red Hat OpenShift
Container Platform 4 runs on top of.
This profile is applicable to OpenShift versions 4.12 and greater.
AustralianCyberSecurityCentre(ACSC)EssentialEight
Profile ID: xccdf_org.ssgproject.content_profile_e8
This profile contains configuration checks for Red Hat OpenShift Container Platform that align to
the Australian Cyber Security Centre (ACSC) Essential Eight.
A copy of the Essential Eight in Linux Environments guide can be found at the ACSC website:
https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-
servers
NIST800-53High-ImpactBaselineforRedHatOpenShift-Nodelevel
Profile ID: xccdf_org.ssgproject.content_profile_high-node-rev-4
This compliance profile reflects the core set of High-Impact Baseline configuration settings for
deployment of Red Hat OpenShift Container Platform into U.S. Defense, Intelligence, and Civilian
agencies. Development partners and sponsors include the U.S. National Institute of Standards and
Technology (NIST), U.S. Department of Defense, the National Security Agency, and Red Hat.
This baseline implements configuration requirements from the following sources:
- NIST 800-53 control selections for High-Impact systems (NIST 800-53)
For any differing configuration requirements, e.g. password lengths, the stricter security setting
was chosen. Security Requirement Traceability Guides (RTMs) and sample System Security
Configuration Guides are provided via the scap-security-guide-docs package.
This profile reflects U.S. Government consensus content and is developed through the
ComplianceAsCode initiative, championed by the National Security Agency. Except for differences in
formatting to accommodate publishing processes, this profile mirrors ComplianceAsCode content as
minor divergences, such as bugfixes, work through the consensus and release processes.
NIST800-53High-ImpactBaselineforRedHatOpenShift-Nodelevel
Profile ID: xccdf_org.ssgproject.content_profile_high-node
This compliance profile reflects the core set of High-Impact Baseline configuration settings for
deployment of Red Hat OpenShift Container Platform into U.S. Defense, Intelligence, and Civilian
agencies. Development partners and sponsors include the U.S. National Institute of Standards and
Technology (NIST), U.S. Department of Defense, the National Security Agency, and Red Hat.
This baseline implements configuration requirements from the following sources:
- NIST 800-53 control selections for High-Impact systems (NIST 800-53)
For any differing configuration requirements, e.g. password lengths, the stricter security setting
was chosen. Security Requirement Traceability Guides (RTMs) and sample System Security
Configuration Guides are provided via the scap-security-guide-docs package.
This profile reflects U.S. Government consensus content and is developed through the
ComplianceAsCode initiative, championed by the National Security Agency. Except for differences in
formatting to accommodate publishing processes, this profile mirrors ComplianceAsCode content as
minor divergences, such as bugfixes, work through the consensus and release processes.
NIST800-53High-ImpactBaselineforRedHatOpenShift-Platformlevel
Profile ID: xccdf_org.ssgproject.content_profile_high-rev-4
This compliance profile reflects the core set of High-Impact Baseline configuration settings for
deployment of Red Hat OpenShift Container Platform into U.S. Defense, Intelligence, and Civilian
agencies. Development partners and sponsors include the U.S. National Institute of Standards and
Technology (NIST), U.S. Department of Defense, the National Security Agency, and Red Hat.
This baseline implements configuration requirements from the following sources:
- NIST 800-53 control selections for High-Impact systems (NIST 800-53)
For any differing configuration requirements, e.g. password lengths, the stricter security setting
was chosen. Security Requirement Traceability Guides (RTMs) and sample System Security
Configuration Guides are provided via the scap-security-guide-docs package.
This profile reflects U.S. Government consensus content and is developed through the
ComplianceAsCode initiative, championed by the National Security Agency. Except for differences in
formatting to accommodate publishing processes, this profile mirrors ComplianceAsCode content as
minor divergences, such as bugfixes, work through the consensus and release processes.
NIST800-53High-ImpactBaselineforRedHatOpenShift-Platformlevel
Profile ID: xccdf_org.ssgproject.content_profile_high
This compliance profile reflects the core set of High-Impact Baseline configuration settings for
deployment of Red Hat OpenShift Container Platform into U.S. Defense, Intelligence, and Civilian
agencies. Development partners and sponsors include the U.S. National Institute of Standards and
Technology (NIST), U.S. Department of Defense, the National Security Agency, and Red Hat.
This baseline implements configuration requirements from the following sources:
- NIST 800-53 control selections for High-Impact systems (NIST 800-53)
For any differing configuration requirements, e.g. password lengths, the stricter security setting
was chosen. Security Requirement Traceability Guides (RTMs) and sample System Security
Configuration Guides are provided via the scap-security-guide-docs package.
This profile reflects U.S. Government consensus content and is developed through the
ComplianceAsCode initiative, championed by the National Security Agency. Except for differences in
formatting to accommodate publishing processes, this profile mirrors ComplianceAsCode content as
minor divergences, such as bugfixes, work through the consensus and release processes.
NIST800-53Moderate-ImpactBaselineforRedHatOpenShift-Nodelevel
Profile ID: xccdf_org.ssgproject.content_profile_moderate-node-rev-4
This compliance profile reflects the core set of Moderate-Impact Baseline configuration settings
for deployment of Red Hat OpenShift Container Platform into U.S. Defense, Intelligence, and
Civilian agencies. Development partners and sponsors include the U.S. National Institute of
Standards and Technology (NIST), U.S. Department of Defense, the National Security Agency, and Red
Hat.
This baseline implements configuration requirements from the following sources:
- NIST 800-53 control selections for Moderate-Impact systems (NIST 800-53)
For any differing configuration requirements, e.g. password lengths, the stricter security setting
was chosen. Security Requirement Traceability Guides (RTMs) and sample System Security
Configuration Guides are provided via the scap-security-guide-docs package.
This profile reflects U.S. Government consensus content and is developed through the
ComplianceAsCode initiative, championed by the National Security Agency. Except for differences in
formatting to accommodate publishing processes, this profile mirrors ComplianceAsCode content as
minor divergences, such as bugfixes, work through the consensus and release processes.
NIST800-53Moderate-ImpactBaselineforRedHatOpenShift-Nodelevel
Profile ID: xccdf_org.ssgproject.content_profile_moderate-node
This compliance profile reflects the core set of Moderate-Impact Baseline configuration settings
for deployment of Red Hat OpenShift Container Platform into U.S. Defense, Intelligence, and
Civilian agencies. Development partners and sponsors include the U.S. National Institute of
Standards and Technology (NIST), U.S. Department of Defense, the National Security Agency, and Red
Hat.
This baseline implements configuration requirements from the following sources:
- NIST 800-53 control selections for Moderate-Impact systems (NIST 800-53)
For any differing configuration requirements, e.g. password lengths, the stricter security setting
was chosen. Security Requirement Traceability Guides (RTMs) and sample System Security
Configuration Guides are provided via the scap-security-guide-docs package.
This profile reflects U.S. Government consensus content and is developed through the
ComplianceAsCode initiative, championed by the National Security Agency. Except for differences in
formatting to accommodate publishing processes, this profile mirrors ComplianceAsCode content as
minor divergences, such as bugfixes, work through the consensus and release processes.
NIST800-53Moderate-ImpactBaselineforRedHatOpenShift-Platformlevel
Profile ID: xccdf_org.ssgproject.content_profile_moderate-rev-4
This compliance profile reflects the core set of Moderate-Impact Baseline configuration settings
for deployment of Red Hat OpenShift Container Platform into U.S. Defense, Intelligence, and
Civilian agencies. Development partners and sponsors include the U.S. National Institute of
Standards and Technology (NIST), U.S. Department of Defense, the National Security Agency, and Red
Hat.
This baseline implements configuration requirements from the following sources:
- NIST 800-53 control selections for Moderate-Impact systems (NIST 800-53)
For any differing configuration requirements, e.g. password lengths, the stricter security setting
was chosen. Security Requirement Traceability Guides (RTMs) and sample System Security
Configuration Guides are provided via the scap-security-guide-docs package.
This profile reflects U.S. Government consensus content and is developed through the
ComplianceAsCode initiative, championed by the National Security Agency. Except for differences in
formatting to accommodate publishing processes, this profile mirrors ComplianceAsCode content as
minor divergences, such as bugfixes, work through the consensus and release processes.
NIST800-53Moderate-ImpactBaselineforRedHatOpenShift-Platformlevel
Profile ID: xccdf_org.ssgproject.content_profile_moderate
This compliance profile reflects the core set of Moderate-Impact Baseline configuration settings
for deployment of Red Hat OpenShift Container Platform into U.S. Defense, Intelligence, and
Civilian agencies. Development partners and sponsors include the U.S. National Institute of
Standards and Technology (NIST), U.S. Department of Defense, the National Security Agency, and Red
Hat.
This baseline implements configuration requirements from the following sources:
- NIST 800-53 control selections for Moderate-Impact systems (NIST 800-53)
For any differing configuration requirements, e.g. password lengths, the stricter security setting
was chosen. Security Requirement Traceability Guides (RTMs) and sample System Security
Configuration Guides are provided via the scap-security-guide-docs package.
This profile reflects U.S. Government consensus content and is developed through the
ComplianceAsCode initiative, championed by the National Security Agency. Except for differences in
formatting to accommodate publishing processes, this profile mirrors ComplianceAsCode content as
minor divergences, such as bugfixes, work through the consensus and release processes.
NorthAmericanElectricReliabilityCorporation(NERC)CriticalInfrastructureProtection(CIP)cybersecuritystandardsprofilefortheRedHatOpenShiftContainerPlatform-Nodelevel
Profile ID: xccdf_org.ssgproject.content_profile_nerc-cip-node
This compliance profile reflects a set of security recommendations for the usage of Red Hat
OpenShift Container Platform in critical infrastructure in the energy sector. This follows the
recommendations coming from the following CIP standards:
- CIP-002-5 - CIP-003-8 - CIP-004-6 - CIP-005-6 - CIP-007-3 - CIP-007-6 - CIP-009-6
NorthAmericanElectricReliabilityCorporation(NERC)CriticalInfrastructureProtection(CIP)cybersecuritystandardsprofilefortheRedHatOpenShiftContainerPlatform-Platformlevel
Profile ID: xccdf_org.ssgproject.content_profile_nerc-cip
This compliance profile reflects a set of security recommendations for the usage of Red Hat
OpenShift Container Platform in critical infrastructure in the energy sector. This follows the
recommendations coming from the following CIP standards:
- CIP-002-5 - CIP-003-8 - CIP-004-6 - CIP-005-6 - CIP-007-3 - CIP-007-6 - CIP-009-6
PCI-DSSv3.2.1ControlBaselineforRedHatOpenShiftContainerPlatform4
Profile ID: xccdf_org.ssgproject.content_profile_pci-dss-3-2
Ensures PCI-DSS v3.2.1 security configuration settings are applied.
PCI-DSSv4.0.0ControlBaselineforRedHatOpenShiftContainerPlatform4
Profile ID: xccdf_org.ssgproject.content_profile_pci-dss-4-0
Ensures PCI-DSS v4.0.0 security configuration settings are applied.
PCI-DSSv3.2.1ControlBaselineforRedHatOpenShiftContainerPlatform4
Profile ID: xccdf_org.ssgproject.content_profile_pci-dss-node-3-2
Ensures PCI-DSS v3.2.1 security configuration settings are applied.
PCI-DSSv4.0.0ControlBaselineforRedHatOpenShiftContainerPlatform4
Profile ID: xccdf_org.ssgproject.content_profile_pci-dss-node-4-0
Ensures PCI-DSS v4.0.0 security configuration settings are applied.
PCI-DSSv3.2.1ControlBaselineforRedHatOpenShiftContainerPlatform4
Profile ID: xccdf_org.ssgproject.content_profile_pci-dss-node
Ensures PCI-DSS v3.2.1 security configuration settings are applied.
PCI-DSSv3.2.1ControlBaselineforRedHatOpenShiftContainerPlatform4
Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
Ensures PCI-DSS v3.2.1 security configuration settings are applied.
DISASTIGforRedHatOpenShiftContainerPlatform4-Nodelevel
Profile ID: xccdf_org.ssgproject.content_profile_stig-node-v1r1
This profile contains configuration checks that align to the DISA STIG for Red Hat OpenShift
Container Platform 4.
DISASTIGforRedHatOpenShiftContainerPlatform4-Nodelevel
Profile ID: xccdf_org.ssgproject.content_profile_stig-node-v2r1
This profile contains configuration checks that align to the DISA STIG for Red Hat OpenShift
Container Platform 4.
DISASTIGforRedHatOpenShiftContainerPlatform4-Nodelevel
Profile ID: xccdf_org.ssgproject.content_profile_stig-node
This profile contains configuration checks that align to the DISA STIG for Red Hat OpenShift
Container Platform 4.
DISASTIGforRedHatOpenShiftContainerPlatform4-Platformlevel
Profile ID: xccdf_org.ssgproject.content_profile_stig-v1r1
This profile contains configuration checks that align to the DISA STIG for Red Hat OpenShift
Container Platform 4.
DISASTIGforRedHatOpenShiftContainerPlatform4-Platformlevel
Profile ID: xccdf_org.ssgproject.content_profile_stig-v2r1
This profile contains configuration checks that align to the DISA STIG for Red Hat OpenShift
Container Platform 4.
DISASTIGforRedHatOpenShiftContainerPlatform4-Platformlevel
Profile ID: xccdf_org.ssgproject.content_profile_stig
This profile contains configuration checks that align to the DISA STIG for Red Hat OpenShift
Container Platform 4.
Profiles In Guide To The Secure Configuration Of Red Hat Virtualization 4
Source data stream: ssg-rhv4-ds.xml
The Guide to the Secure Configuration of Red Hat Virtualization 4 is broken into 'profiles', groupings of
security settings that correlate to a known policy. Available profiles are:
PCI-DSSv3.2.1ControlBaselineforRedHatVirtualizationHost(RHVH)
Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
Ensures PCI-DSS v3.2.1 security configuration settings are applied.
DRAFT-DISASTIGforRedHatVirtualizationHost(RHVH)
Profile ID: xccdf_org.ssgproject.content_profile_rhvh-stig
This *draft* profile contains configuration checks that align to the DISA STIG for Red Hat
Virtualization Host (RHVH).
VPP-ProtectionProfileforVirtualizationv.1.0forRedHatVirtualizationHost(RHVH)
Profile ID: xccdf_org.ssgproject.content_profile_rhvh-vpp
This compliance profile reflects the core set of security related configuration settings for
deployment of Red Hat Virtualization Host (RHVH) 4.x into U.S. Defense, Intelligence, and Civilian
agencies. Development partners and sponsors include the U.S. National Institute of Standards and
Technology (NIST), U.S. Department of Defense, the National Security Agency, and Red Hat.
This baseline implements configuration requirements from the following sources:
- Committee on National Security Systems Instruction No. 1253 (CNSSI 1253) - NIST 800-53 control
selections for MODERATE impact systems (NIST 800-53) - U.S. Government Configuration Baseline
(USGCB) - NIAP Protection Profile for Virtualization v1.0 (VPP v1.0)
For any differing configuration requirements, e.g. password lengths, the stricter security setting
was chosen. Security Requirement Traceability Guides (RTMs) and sample System Security
Configuration Guides are provided via the scap-security-guide-docs package.
This profile reflects U.S. Government consensus content and is developed through the
ComplianceAsCode project, championed by the National Security Agency. Except for differences in
formatting to accommodate publishing processes, this profile mirrors ComplianceAsCode content as
minor divergences, such as bugfixes, work through the consensus and release processes.
Profiles In Guide To The Secure Configuration Of Suse Linux Enterprise 12
Source data stream: ssg-sle12-ds.xml
The Guide to the Secure Configuration of SUSE Linux Enterprise 12 is broken into 'profiles', groupings of
security settings that correlate to a known policy. Available profiles are:
ANSSI-BP-028(enhanced)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced
This profile contains configurations that align to ANSSI-BP-028 v2.0 at the enhanced hardening
level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la
sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux
systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-
gnulinux/
Only the components strictly necessary to the service provided by the system should be installed.
Those whose presence can not be justified should be disabled, removed or deleted. Performing a
minimal install is a good starting point, but doesn't provide any assurance over any package
installed later. Manual review is required to assess if the installed services are minimal.
ANSSI-BP-028(high)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_high
This profile contains configurations that align to ANSSI-BP-028 v2.0 at the high hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la
sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux
systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-
gnulinux/
Only the components strictly necessary to the service provided by the system should be installed.
Those whose presence can not be justified should be disabled, removed or deleted. Performing a
minimal install is a good starting point, but doesn't provide any assurance over any package
installed later. Manual review is required to assess if the installed services are minimal.
ANSSI-BP-028(intermediary)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary
This profile contains configurations that align to ANSSI-BP-028 v2.0 at the intermediary hardening
level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la
sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux
systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-
gnulinux/
Only the components strictly necessary to the service provided by the system should be installed.
Those whose presence can not be justified should be disabled, removed or deleted. Performing a
minimal install is a good starting point, but doesn't provide any assurance over any package
installed later. Manual review is required to assess if the installed services are minimal.
ANSSI-BP-028(minimal)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_minimal
This profile contains configurations that align to ANSSI-BP-028 v2.0 at the minimal hardening
level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la
sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux
systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-
gnulinux/
Only the components strictly necessary to the service provided by the system should be installed.
Those whose presence can not be justified should be disabled, removed or deleted. Performing a
minimal install is a good starting point, but doesn't provide any assurance over any package
installed later. Manual review is required to assess if the installed services are minimal.
CISSUSELinuxEnterprise12BenchmarkforLevel2-Server
Profile ID: xccdf_org.ssgproject.content_profile_cis
This profile defines a baseline that aligns to the "Level 2 - Server" configuration from the
Center for Internet Security® SUSE Linux Enterprise 12 Benchmark™, v3.1.0, released 01-24-2022.
This profile includes Center for Internet Security® SUSE Linux Enterprise 12 CIS Benchmarks™
content.
CISSUSELinuxEnterprise12BenchmarkforLevel1-Server
Profile ID: xccdf_org.ssgproject.content_profile_cis_server_l1
This profile defines a baseline that aligns to the "Level 1 - Server" configuration from the
Center for Internet Security® SUSE Linux Enterprise 12 Benchmark™, v3.1.0, released 01-24-2022.
This profile includes Center for Internet Security® SUSE Linux Enterprise 12 CIS Benchmarks™
content.
CISSUSELinuxEnterprise12BenchmarkforLevel1-Workstation
Profile ID: xccdf_org.ssgproject.content_profile_cis_workstation_l1
This profile defines a baseline that aligns to the "Level 1 - Workstation" configuration from the
Center for Internet Security® SUSE Linux Enterprise 12 Benchmark™, v3.1.0, released 01-24-2022.
This profile includes Center for Internet Security® SUSE Linux Enterprise 12 CIS Benchmarks™
content.
CISSUSELinuxEnterprise12BenchmarkLevel2-Workstation
Profile ID: xccdf_org.ssgproject.content_profile_cis_workstation_l2
This profile defines a baseline that aligns to the "Level 2 - Workstation" configuration from the
Center for Internet Security® SUSE Linux Enterprise 12 Benchmark™, v3.1.0, released 01-24-2022.
This profile includes Center for Internet Security® SUSE Linux Enterprise 12 CIS Benchmarks™
content.
PCI-DSSv4ControlBaselineforSUSELinuxenterprise12
Profile ID: xccdf_org.ssgproject.content_profile_pci-dss-4
Ensures PCI-DSS v4 security configuration settings are applied.
PCI-DSSv3.2.1ControlBaselineforSUSELinuxenterprise12
Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
Ensures PCI-DSS v3.2.1 security configuration settings are applied.
StandardSystemSecurityProfileforSUSELinuxEnterprise12
Profile ID: xccdf_org.ssgproject.content_profile_standard
This profile contains rules to ensure standard security baseline of a SUSE Linux Enterprise 12
system. Regardless of your system's workload all of these checks should pass.
DISASTIGforSUSELinuxEnterprise12
Profile ID: xccdf_org.ssgproject.content_profile_stig
This profile contains configuration checks that align to the DISA STIG for SUSE Linux Enterprise
12 V3R1.
Profiles In Guide To The Secure Configuration Of Suse Linux Enterprise 15
Source data stream: ssg-sle15-ds.xml
The Guide to the Secure Configuration of SUSE Linux Enterprise 15 is broken into 'profiles', groupings of
security settings that correlate to a known policy. Available profiles are:
ANSSI-BP-028(enhanced)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced
This profile contains configurations that align to ANSSI-BP-028 v2.0 at the enhanced hardening
level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la
sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux
systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-
gnulinux/
Only the components strictly necessary to the service provided by the system should be installed.
Those whose presence can not be justified should be disabled, removed or deleted. Performing a
minimal install is a good starting point, but doesn't provide any assurance over any package
installed later. Manual review is required to assess if the installed services are minimal.
ANSSI-BP-028(high)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_high
This profile contains configurations that align to ANSSI-BP-028 v2.0 at the high hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la
sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux
systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-
gnulinux/
Only the components strictly necessary to the service provided by the system should be installed.
Those whose presence can not be justified should be disabled, removed or deleted. Performing a
minimal install is a good starting point, but doesn't provide any assurance over any package
installed later. Manual review is required to assess if the installed services are minimal.
ANSSI-BP-028(intermediary)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary
This profile contains configurations that align to ANSSI-BP-028 v2.0 at the intermediary hardening
level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la
sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux
systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-
gnulinux/
Only the components strictly necessary to the service provided by the system should be installed.
Those whose presence can not be justified should be disabled, removed or deleted. Performing a
minimal install is a good starting point, but doesn't provide any assurance over any package
installed later. Manual review is required to assess if the installed services are minimal.
ANSSI-BP-028(minimal)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_minimal
This profile contains configurations that align to ANSSI-BP-028 v2.0 at the minimal hardening
level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la
sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux
systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-
gnulinux/
Only the components strictly necessary to the service provided by the system should be installed.
Those whose presence can not be justified should be disabled, removed or deleted. Performing a
minimal install is a good starting point, but doesn't provide any assurance over any package
installed later. Manual review is required to assess if the installed services are minimal.
CISSUSELinuxEnterprise15BenchmarkforLevel2-Server
Profile ID: xccdf_org.ssgproject.content_profile_cis
This profile defines a baseline that aligns to the "Level 2 - Server" configuration from the
Center for Internet Security® SUSE Linux Enterprise 15 Benchmark™, v1.1.1, released 01-24-2022.
This profile includes Center for Internet Security® SUSE Linux Enterprise 15 CIS Benchmarks™
content.
CISSUSELinuxEnterprise15BenchmarkforLevel1-Server
Profile ID: xccdf_org.ssgproject.content_profile_cis_server_l1
This profile defines a baseline that aligns to the "Level 1 - Server" configuration from the
Center for Internet Security® SUSE Linux Enterprise 15 Benchmark™, v1.1.1, released 01-24-2022.
This profile includes Center for Internet Security® SUSE Linux Enterprise 15 CIS Benchmarks™
content.
CISSUSELinuxEnterprise15BenchmarkforLevel1-Workstation
Profile ID: xccdf_org.ssgproject.content_profile_cis_workstation_l1
This profile defines a baseline that aligns to the "Level 1 - Workstation" configuration from the
Center for Internet Security® SUSE Linux Enterprise 15 Benchmark™, v1.1.1, released 01-24-2022.
This profile includes Center for Internet Security® SUSE Linux Enterprise 15 CIS Benchmarks™
content.
CISSUSELinuxEnterprise15BenchmarkLevel2-Workstation
Profile ID: xccdf_org.ssgproject.content_profile_cis_workstation_l2
This profile defines a baseline that aligns to the "Level 2 - Workstation" configuration from the
Center for Internet Security® SUSE Linux Enterprise 15 Benchmark™, v1.1.1, released 01-24-2022.
This profile includes Center for Internet Security® SUSE Linux Enterprise 15 CIS Benchmarks™
content.
HealthInsurancePortabilityandAccountabilityAct(HIPAA)
Profile ID: xccdf_org.ssgproject.content_profile_hipaa
The HIPAA Security Rule establishes U.S. national standards to protect individuals’ electronic
personal health information that is created, received, used, or maintained by a covered entity.
The Security Rule requires appropriate administrative, physical and technical safeguards to ensure
the confidentiality, integrity, and security of electronic protected health information.
This profile contains configuration checks that align to the HIPPA Security Rule for SUSE Linux
Enterprise 15 V1R3.
PCI-DSSv4ControlBaselineforSUSELinuxenterprise15
Profile ID: xccdf_org.ssgproject.content_profile_pci-dss-4
Ensures PCI-DSS v4 security configuration settings are applied.
HardeningforPublicCloudImageofSUSELinuxEnterpriseServer(SLES)forSAPApplications15
Profile ID: xccdf_org.ssgproject.content_profile_pcs-hardening-sap
This profile contains configuration rules to be used to harden the images of SUSE Linux Enterprise
Server (SLES) for SAP Applications 15 including all Service Packs, for Public Cloud providers,
currently AWS, Microsoft Azure, and Google Cloud.
PublicCloudHardeningforSUSELinuxEnterprise15
Profile ID: xccdf_org.ssgproject.content_profile_pcs-hardening
This profile contains configuration checks to be used to harden SUSE Linux Enterprise 15 for use
with public cloud providers.
StandardSystemSecurityProfileforSUSELinuxEnterprise15
Profile ID: xccdf_org.ssgproject.content_profile_standard
This profile contains rules to ensure standard security baseline of a SUSE Linux Enterprise 15
system based off of the SUSE Hardening Guide. Regardless of your system's workload all of these
checks should pass.
DISASTIGforSUSELinuxEnterprise15
Profile ID: xccdf_org.ssgproject.content_profile_stig
This profile contains configuration checks that align to the DISA STIG for SUSE Linux Enterprise
15 V2R2.
Profiles In Guide To The Secure Configuration Of Suse Linux Enterprise Micro 5
Source data stream: ssg-slmicro5-ds.xml
The Guide to the Secure Configuration of SUSE Linux Enterprise Micro 5 is broken into 'profiles',
groupings of security settings that correlate to a known policy. Available profiles are:
CISbenchmarkforSUSELinuxEnterpriseMicro(SLEM)5forLevel2-Server
Profile ID: xccdf_org.ssgproject.content_profile_cis
This profile defines a baseline that aligns to the "Level 2 - Server" configuration from the
Center for Internet Security® SUSE Linux Enterprise Micro (SLEM) 5 Benchmark™, v1.0.0.
This profile includes Center for Internet Security® SUSE Linux Enterprise Micro (SLEM) 5 CIS
Benchmarks™ content.
CISbenchmarkforSUSELinuxEnterpriseMicro(SLEM)5forLevel1-Server
Profile ID: xccdf_org.ssgproject.content_profile_cis_server_l1
This profile defines a baseline that aligns to the "Level 1 - Server" configuration from the
Center for Internet Security® SUSE Linux Enterprise Micro (SLEM) 5 Benchmark™, v1.0.0
This profile includes Center for Internet Security® SUSE Linux Enterprise Micro (SLEM) 5 CIS
Benchmarks™ content.
CISbenchmarkforSUSELinuxEnterpriseMicro(SLEM)5forLevel1-Workstation
Profile ID: xccdf_org.ssgproject.content_profile_cis_workstation_l1
This profile defines a baseline that aligns to the "Level 1 - Workstation" configuration from the
Center for Internet Security® SUSE Linux Enterprise Micro (SLEM) 5 for Benchmark™, v1.0.0.
This profile includes Center for Internet Security® SUSE Linux Enterprise Micro (SLEM) 5 CIS
Benchmarks™ content.
CISbenchmarkforSUSELinuxEnterpriseMicro(SLEM)5forLevel2-Workstation
Profile ID: xccdf_org.ssgproject.content_profile_cis_workstation_l2
This profile defines a baseline that aligns to the "Level 2 - Workstation" configuration from the
Center for Internet Security® SUSE Linux Enterprise Micro (SLEM) 5 for Benchmark™, v1.0.0.
This profile includes Center for Internet Security® SUSE Linux Enterprise Micro (SLEM) 5 CIS
Benchmarks™ content.
PublicCloudHardeningforSUSELinuxEnterpriseMicro(SLEM)5
Profile ID: xccdf_org.ssgproject.content_profile_pcs-hardening
This profile contains configuration checks to be used to harden SUSE Linux Enterprise Micro (SLEM)
5 for use with public cloud providers.
DISASTIGforSUSELinuxEnterpriseMicro(SLEM)5
Profile ID: xccdf_org.ssgproject.content_profile_stig
This profile contains configuration checks that align to the DISA STIG for SUSE Linux Enterprise
Micro (SLEM) 5.
Profiles In Guide To The Secure Configuration Of Ubuntu 16.04
Source data stream: ssg-ubuntu1604-ds.xml
The Guide to the Secure Configuration of Ubuntu 16.04 is broken into 'profiles', groupings of security
settings that correlate to a known policy. Available profiles are:
ProfileforANSSIDAT-NT28Average(Intermediate)Level
Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_average
This profile contains items for GNU/Linux installations already protected by multiple higher level
security stacks.
ProfileforANSSIDAT-NT28High(Enforced)Level
Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_high
This profile contains items for GNU/Linux installations storing sensitive information that can be
accessible from unauthenticated or uncontroled networks.
ProfileforANSSIDAT-NT28MinimalLevel
Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal
This profile contains items to be applied systematically.
ProfileforANSSIDAT-NT28RestrictiveLevel
Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive
This profile contains items for GNU/Linux installations exposed to unauthenticated flows or
multiple sources.
StandardSystemSecurityProfileforUbuntu16.04
Profile ID: xccdf_org.ssgproject.content_profile_standard
This profile contains rules to ensure standard security baseline of an Ubuntu 16.04 system.
Regardless of your system's workload all of these checks should pass.
Profiles In Guide To The Secure Configuration Of Ubuntu 18.04
Source data stream: ssg-ubuntu1804-ds.xml
The Guide to the Secure Configuration of Ubuntu 18.04 is broken into 'profiles', groupings of security
settings that correlate to a known policy. Available profiles are:
ProfileforANSSIDAT-NT28Average(Intermediate)Level
Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_average
This profile contains items for GNU/Linux installations already protected by multiple higher level
security stacks.
ProfileforANSSIDAT-NT28High(Enforced)Level
Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_high
This profile contains items for GNU/Linux installations storing sensitive information that can be
accessible from unauthenticated or uncontroled networks.
ProfileforANSSIDAT-NT28MinimalLevel
Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal
This profile contains items to be applied systematically.
ProfileforANSSIDAT-NT28RestrictiveLevel
Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive
This profile contains items for GNU/Linux installations exposed to unauthenticated flows or
multiple sources.
CISUbuntu18.04LTSBenchmark
Profile ID: xccdf_org.ssgproject.content_profile_cis
This baseline aligns to the Center for Internet Security Ubuntu 18.04 LTS Benchmark, v1.0.0,
released 08-13-2018.
StandardSystemSecurityProfileforUbuntu18.04
Profile ID: xccdf_org.ssgproject.content_profile_standard
This profile contains rules to ensure standard security baseline of an Ubuntu 18.04 system.
Regardless of your system's workload all of these checks should pass.
Profiles In Guide To The Secure Configuration Of Ubuntu 20.04
Source data stream: ssg-ubuntu2004-ds.xml
The Guide to the Secure Configuration of Ubuntu 20.04 is broken into 'profiles', groupings of security
settings that correlate to a known policy. Available profiles are:
CISUbuntu20.04Level1ServerBenchmark
Profile ID: xccdf_org.ssgproject.content_profile_cis_level1_server
This baseline aligns to the Center for Internet Security Ubuntu 20.04 LTS Benchmark, v1.0.0,
released 07-21-2020.
CISUbuntu20.04Level1WorkstationBenchmark
Profile ID: xccdf_org.ssgproject.content_profile_cis_level1_workstation
This baseline aligns to the Center for Internet Security Ubuntu 20.04 LTS Benchmark, v1.0.0,
released 07-21-2020.
CISUbuntu20.04Level2ServerBenchmark
Profile ID: xccdf_org.ssgproject.content_profile_cis_level2_server
This baseline aligns to the Center for Internet Security Ubuntu 20.04 LTS Benchmark, v1.0.0,
released 07-21-2020.
CISUbuntu20.04Level2WorkstationBenchmark
Profile ID: xccdf_org.ssgproject.content_profile_cis_level2_workstation
This baseline aligns to the Center for Internet Security Ubuntu 20.04 LTS Benchmark, v1.0.0,
released 07-21-2020.
StandardSystemSecurityProfileforUbuntu20.04
Profile ID: xccdf_org.ssgproject.content_profile_standard
This profile contains rules to ensure standard security baseline of an Ubuntu 20.04 system.
Regardless of your system's workload all of these checks should pass.
CanonicalUbuntu20.04LTSSecurityTechnicalImplementationGuide(STIG)V1R12
Profile ID: xccdf_org.ssgproject.content_profile_stig
This Security Technical Implementation Guide is published as a tool to improve the security of
Department of Defense (DoD) information systems. The requirements are derived from the National
Institute of Standards and Technology (NIST) 800-53 and related documents.
Profiles In Guide To The Secure Configuration Of Ubuntu 22.04
Source data stream: ssg-ubuntu2204-ds.xml
The Guide to the Secure Configuration of Ubuntu 22.04 is broken into 'profiles', groupings of security
settings that correlate to a known policy. Available profiles are:
CISUbuntu22.04Level1ServerBenchmark
Profile ID: xccdf_org.ssgproject.content_profile_cis_level1_server
This baseline aligns to the Center for Internet Security Ubuntu 22.04 LTS Benchmark, v1.0.0,
released 08-30-2022.
CISUbuntu22.04Level1WorkstationBenchmark
Profile ID: xccdf_org.ssgproject.content_profile_cis_level1_workstation
This baseline aligns to the Center for Internet Security Ubuntu 22.04 LTS Benchmark, v1.0.0,
released 08-30-2022.
CISUbuntu22.04Level2ServerBenchmark
Profile ID: xccdf_org.ssgproject.content_profile_cis_level2_server
This baseline aligns to the Center for Internet Security Ubuntu 22.04 LTS Benchmark, v1.0.0,
released 08-30-2022.
CISUbuntu22.04Level2WorkstationBenchmark
Profile ID: xccdf_org.ssgproject.content_profile_cis_level2_workstation
This baseline aligns to the Center for Internet Security Ubuntu 22.04 LTS Benchmark, v1.0.0,
released 08-30-2022.
StandardSystemSecurityProfileforUbuntu22.04
Profile ID: xccdf_org.ssgproject.content_profile_standard
This profile contains rules to ensure standard security baseline of an Ubuntu 22.04 system.
Regardless of your system's workload all of these checks should pass.
CanonicalUbuntu22.04LTSSecurityTechnicalImplementationGuide(STIG)V2R1
Profile ID: xccdf_org.ssgproject.content_profile_stig
This Security Technical Implementation Guide is published as a tool to improve the security of
Department of Defense (DoD) information systems. The requirements are derived from the National
Institute of Standards and Technology (NIST) 800-53 and related documents.
Profiles In Guide To The Secure Configuration Of Ubuntu 24.04
Source data stream: ssg-ubuntu2404-ds.xml
The Guide to the Secure Configuration of Ubuntu 24.04 is broken into 'profiles', groupings of security
settings that correlate to a known policy. Available profiles are:
DRAFT-CISUbuntuLinux24.04LTSBenchmarkforLevel1-Server
Profile ID: xccdf_org.ssgproject.content_profile_cis_level1_server
This profile defines a baseline that aligns to the "Level 1 - Server" configuration from the
Center for Internet Security® Ubuntu Linux 24.04 LTS Benchmark™, v1.0.0, released 2024-08-26.
This profile includes Center for Internet Security® Ubuntu Linux 24.04 LTS Benchmark™ content.
DRAFT-CISUbuntuLinux24.04LTSBenchmarkforLevel1-Workstation
Profile ID: xccdf_org.ssgproject.content_profile_cis_level1_workstation
This profile defines a baseline that aligns to the "Level 1 - Workstation" configuration from the
Center for Internet Security® Ubuntu Linux 24.04 LTS Benchmark™, v1.0.0, released 2024-08-26.
This profile includes Center for Internet Security® Ubuntu Linux 24.04 LTS Benchmark™ content.
DRAFT-CISUbuntuLinux24.04LTSBenchmarkforLevel2-Server
Profile ID: xccdf_org.ssgproject.content_profile_cis_level2_server
This profile defines a baseline that aligns to the "Level 2 - Server" configuration from the
Center for Internet Security® Ubuntu Linux 24.04 LTS Benchmark™, v1.0.0, released 2024-08-26.
This profile includes Center for Internet Security® Ubuntu Linux 24.04 LTS Benchmark™ content.
DRAFT-CISUbuntuLinux24.04LTSBenchmarkforLevel2-Workstation
Profile ID: xccdf_org.ssgproject.content_profile_cis_level2_workstation
This profile defines a baseline that aligns to the "Level 2 - Workstation" configuration from the
Center for Internet Security® Ubuntu Linux 24.04 LTS Benchmark™, v1.0.0, released 2024-08-26.
This profile includes Center for Internet Security® Ubuntu Linux 24.04 LTS Benchmark™ content.
See Also
oscap(8)
